<dependency>  <groupId>org.springframework.boot</groupId>  <artifactId>spring-boot-starter-security</artifactId></dependency>

spring:  security:    user:      name: admin        password: 123456

@RestController@RequestMapping("/demos")public class DemoController {  @GetMapping("home")  public Object home() {    return "demos home" ;  }}

@PostMapping("post")public Object post() {  return "demos post" ;}

public final class CsrfFilter extends OncePerRequestFilter {  protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {    // 從默認的HttpSessionCsrfTokenRepository中獲取token，默認是從session中    CsrfToken csrfToken = this.tokenRepository.loadToken(request);    boolean missingToken = (csrfToken == null);    if (missingToken) {      // 如果當前session不存在則生成token      csrfToken = this.tokenRepository.generateToken(request);      // 如果csrfToken不為null，則這里什么都不做（不會保存）      this.tokenRepository.saveToken(csrfToken, request, response);    }    // ...    // 判斷當前的請求方法是否是（"GET", "HEAD", "TRACE", "OPTIONS"）    // 如果是上面的Method則直接放行，否則繼續往下執行    if (!this.requireCsrfProtectionMatcher.matches(request)) {      filterChain.doFilter(request, response);      return;    }    // 從請求header中獲取_csrf值，headerName = X-CSRF-TOKEN    String actualToken = request.getHeader(csrfToken.getHeaderName());    if (actualToken == null) {      // 如果header中不存在，則從請求參數中獲取 parameterName = _csrf      actualToken = request.getParameter(csrfToken.getParameterName());    }    // 判斷當前參數中的token值與保存到當前session中的是否想到，不等則返回403錯誤    if (!equalsConstantTime(csrfToken.getToken(), actualToken)) {      AccessDeniedException exception = (!missingToken) ? new InvalidCsrfTokenException(csrfToken, actualToken) : new MissingCsrfTokenException(actualToken);      this.accessDeniedHandler.handle(request, response, exception);      return;    }    filterChain.doFilter(request, response);  }}

@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter {  @Override  protected void configure(HttpSecurity http) throws Exception {    // 關閉csrf，就是刪除CsrfFilter過濾器。    http.csrf().disable() ;    // 攔截任意請求    http.authorizeRequests().anyRequest().authenticated() ;    // 這里需要加上該句，否則不會出現登錄頁面    http.formLogin() ;  }}