我正在创建一个使用 spring-boot-starter-security 和 spring-security-oauth2 来使用Facebook登录的webapp .
为了避免在角度2中实现所有CSRF内容(因为它只是一个玩具项目),我想关闭CSRF .
我已经实现了以下配置:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
}
但现在 Principal -Object总是 null :
Task createTask(@RequestBody Task task, Principal principal) {
// do stuff
}
为什么?
我想我无意中覆盖了我的application.yaml中配置的安全配置,但即使我添加 Order -Annotation它也不起作用:(
Edit:
请求标头(我创建了一个过滤器来添加XSRF-TOKEN cookie,忽略它):
POST /foo HTTP/1.1
Host: localhost:81
Connection: keep-alive
Content-Length: 15
Origin: http://localhost:81
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Content-Type: application/json
Accept: */*
Referer: http://localhost:81/create-task
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: _ga=GA1.1.681162454.1458756836; JSESSIONID=F65FB28C14A8A2D870D18842DE855212; XSRF-TOKEN=551858ab-678e-4dcb-bc72-44fbc569ec41