在特定防火墙上禁用CSRF

Question

我有一个允许用户通过2个不同通道访问的应用程序。

• 正常，树枝
• 问题的REST通过FOSRestBundle - example.com/api/*地址

我已经启用了CSRF保护，因为我想在第一种情况下使用它。

framework: 
    csrf_protection: true 

但是......我需要禁用CSRF保护，同时我要送请求/ API/*地址，因为在这种情况下，我通过OAuth登录。

我可以禁用特定防火墙的CSRF保护吗？

我的防火墙：

firewalls: 
    oauth_token:         
     pattern: ^/api/oauth/v2/token 
     security: false 
    api: 
     pattern: ^/api/        
     fos_oauth: true        
     stateless: true        
     anonymous: false       
    main: 
     pattern: ^/ 
     form_login: 
      provider: chain_provider 
      csrf_provider: form.csrf_provider 
     logout:  true 
     anonymous: true 

虽然我送POST请求/ API /服务器返回错误：

The CSRF token is invalid. Please try to resubmit the form.

我需要禁用此保护api防火墙，并保持它main 。可能吗？

Answer 1

可以用户的基础上处理这个问题：

http://symfony.com/doc/current/bundles/FOSRestBundle/2-the-view-layer.html#csrf-validation

When building a single application that should handle forms both via HTML forms as well as via a REST API, one runs into a problem with CSRF token validation. In most cases it is necessary to enable them for HTML forms, but it makes no sense to use them for a REST API. For this reason there is a form extension to disable CSRF validation for users with a specific role. This of course requires that REST API users authenticate themselves and get a special role assigned.

fos_rest: 
    disable_csrf_role: ROLE_API