<http> ... <csrf /> </http>
但如果某些URL不想加入CSRF,可以使用下面的办法:
实现RequestMatcher.这个接口中的方法,在这里排除某些URL不做CSRF,比如:
public class CsrfSecurityRequestMatcher implements RequestMatcher { private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$"); private RegexRequestMatcher unprotectedMatcher = new RegexRequestMatcher("/unprotected", null); @Override public boolean matches(HttpServletRequest request) { if(allowedMethods.matcher(request.getMethod()).matches()){ return false; } return !unprotectedMatcher.matches(request); } }
这里,就是针对/unproted开头的URL,都不用做CSRF了
然后在配置文件中:
<http> <csrf request-matcher-ref="csrfSecurityRequestMatcher"/> </http>