[Spring] Spring Security 기본 Login Form 제거 및 CSRF 만 사용하기
ITWeb/개발일반 2020. 7. 7. 08:33사용하다 보면 별의 별 요구사항이 나오게 됩니다.
단순 하게 CSRF 만 사용 하고 싶은데 자꾸 login form 이 나와서 설정만으로 이걸 해결해 보고자 했습니다.
그러나 설정 만으로는 안되더라고요.
설정 예시) 비추천
security:
enable:
csrf: true
basic:
enabled: false
management:
security:
enabled: false
코드 예시) 추천
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.httpBasic().disable();
}
}참고 정보)
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-quartz'
implementation 'org.springframework.boot:spring-boot-starter-web'
// thymeleaf
implementation 'org.thymeleaf.extras:thymeleaf-extras-java8time'
implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
implementation 'nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect'
// spring security
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.security:spring-security-test'
implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5'
implementation 'org.webjars:jquery:3.5.0'
implementation 'org.webjars:jquery-ui:1.12.1'
implementation 'org.webjars.bower:bootstrap:4.4.0'
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'
providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
testImplementation('org.springframework.boot:spring-boot-starter-test') {
exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
}
}
<meta id="_csrf" name="_csrf" th:content="${_csrf.token}" />
<meta id="_csrf_header" name="_csrf_header" th:content="${_csrf.headerName}" />
let token = $("meta[name='_csrf']").attr("content");
let header = $("meta[name='_csrf_header']").attr("content");
$(function() {
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
spring:
security:
user:
name: admin
password: admin