As the WebSecurityConfigurerAdapteruses an imperative approach you can inject the value of the security.enable-csrfvariable and disable CSRF when it be false. You are right, I think this should work out of the box.

由于WebSecurityConfigurerAdapter使用命令式方法，您可以注入security.enable-csrf变量的值并在它为 false 时禁用 CSRF。你是对的，我认为这应该是开箱即用的。

@Configuration
public class AuthConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserDetailsService userDetailsService;

    @Value("${security.enable-csrf}")
    private boolean csrfEnabled;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
       super.configure(http);

       if(!csrfEnabled)
       {
         http.csrf().disable();
       }
    }
}

What I did was to set that variable to false in my application.yml for when I had a devspring profile active, although you could create a profile called nosecurityfor such purposes too. It eases this process a lot:

我所做的是在我的 application.yml 中将该变量设置为 false，以便当我有一个devspring 配置文件处于活动状态时，尽管您也可以为此目的创建一个名为nosecurity的配置文件。它大大简化了这个过程：

--- application.yml ---

---应用程序.yml ---

# Production configuration
server:
  port: ${server.web.port}
admin.email: ${admin.email}
#etc
---
spring:
  profiles: dev

security.enable-csrf: false

#other Development configurations

I hope it suits your needs

我希望它适合您的需求

Update on Dec 17th of 2017

2017 年 12 月 17 日更新

Based on a comment of a Spring Boot memberthis issue is fixed on new versions of Spring: I had it on version 1.5.2.RELEASEbut it seems that in version 1.5.9.RELEASE(the latest stable one to the date before version 2) its already fixed and by default csrfis disabled and it can be enabled with security.enable_csrf: true. Therefore a possible solution could be just upgrading to version 1.5.9.RELEASE, before making a major one to version 2 where the architecture might be quite more different.

根据Spring Boot 成员的评论，此问题已在 Spring 的新版本上修复：我在版本上有它，1.5.2.RELEASE但似乎在1.5.9.RELEASE版本（版本 2 之前的最新稳定版本）中已修复默认情况下csrf是禁用的，可以通过security.enable_csrf: true. 因此，一个可能的解决方案可能只是升级到 version 1.5.9.RELEASE，然后将主要版本升级到version 2，其中架构可能会有很大不同。

An update:

更新：

Looks like there is an issue with disabling CSRF using application.properties on spring-boot 1.x (and thanks to Eliux for openning this case).

看起来在 spring-boot 1.x 上使用 application.properties 禁用 CSRF 存在问题（感谢 Eliux 打开这个案例）。

So my solution for spring-boot 1.5.7with an embedded tomcat is disabling CSRF via SecurityConfigclass (note that this way I keep the tomcat ootb basic authentication):

因此，我针对带有嵌入式 tomcat 的spring-boot 1.5.7 的解决方案是通过SecurityConfig类禁用 CSRF （请注意，我通过这种方式保留了 tomcat ootb 基本身份验证）：

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Note: 
        // Use this to enable the tomcat basic authentication (tomcat popup rather than spring login page)
        // Note that the CSRf token is disabled for all requests (change it as you wish...)
        http.csrf().disable().authorizeRequests().anyRequest().authenticated().and().httpBasic();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        // Add here any custom code you need in order to get the credentials from the user...  
        auth.inMemoryAuthentication()
            .withUser("myUserName")
            .password("myPassword")
            .roles("USER");
    }
}