Spring 云网关 POST 禁止访问
Spring Cloud Gateway POST Forbidden
我在带有 RelayToken 过滤器的 Cloud Gateway 路由后面有一个资源服务:
routes:
- id: apis
uri: http://rest-app:8080/apis
predicates:
- Path=/apis/**
filters:
- TokenRelay=
GET 请求工作正常,但在 POSTs 我收到 403 Forbidden 响应正文包含
CSRF Token has been associated to this client
我试图禁用 CSRF 保护添加 Bean
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.csrf().disable().cors().disable().build()
}
但这没有效果,我仍然得到 403。此外,我无法调试到底是哪个过滤器阻止客户端执行 POST 请求,这是我通过
获得的唯一日志记录信息
logging:
level:
root: INFO
org.springframework.web: TRACE
org.springframework.security: TRACE
org.springframework.security.oauth2: TRACE
org.springframework.cloud.gateway: TRACE
org.springframework.security.jwt: TRACE
只是几行说 POST 被禁止
[2020-04-01 13:21:32,635] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] HTTP POST "/apis/", headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] Completed 403 FORBIDDEN, headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.h.s.r.ReactorHttpHandlerAdapter - [58a0e540-10] Handling completed
如何正确关闭 CSRF?
更正 SecurityWebFilterChain 解决了我的问题:
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http
.authorizeExchange().anyExchange().authenticated()
.and()
.oauth2Login()
.and()
.csrf().disable()
.build()
}
我在带有 RelayToken 过滤器的 Cloud Gateway 路由后面有一个资源服务:
routes:
- id: apis
uri: http://rest-app:8080/apis
predicates:
- Path=/apis/**
filters:
- TokenRelay=
GET 请求工作正常,但在 POSTs 我收到 403 Forbidden 响应正文包含
CSRF Token has been associated to this client
我试图禁用 CSRF 保护添加 Bean
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http.csrf().disable().cors().disable().build()
}
但这没有效果,我仍然得到 403。此外,我无法调试到底是哪个过滤器阻止客户端执行 POST 请求,这是我通过
获得的唯一日志记录信息logging:
level:
root: INFO
org.springframework.web: TRACE
org.springframework.security: TRACE
org.springframework.security.oauth2: TRACE
org.springframework.cloud.gateway: TRACE
org.springframework.security.jwt: TRACE
只是几行说 POST 被禁止
[2020-04-01 13:21:32,635] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] HTTP POST "/apis/", headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.w.s.a.HttpWebHandlerAdapter - [58a0e540-10] Completed 403 FORBIDDEN, headers={masked}
[2020-04-01 13:21:32,640] TRACE o.s.h.s.r.ReactorHttpHandlerAdapter - [58a0e540-10] Handling completed
如何正确关闭 CSRF?
更正 SecurityWebFilterChain 解决了我的问题:
@Bean
fun springWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http
.authorizeExchange().anyExchange().authenticated()
.and()
.oauth2Login()
.and()
.csrf().disable()
.build()
}