[英]login with spring security and angular js returns 403
I'm learning spring and angularjs. 我正在学习spring和angularjs。 I'm trying to make a login following this guide spring-security-angular/single 我正在尝试按照此指南进行登录spring-security-angular / single
this is my SecurityConfig 这是我的SecurityConfig
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("a").password("a").roles("ADMIN");
auth.inMemoryAuthentication().withUser("b").password("b").roles("USER");
auth.inMemoryAuthentication().withUser("c").password("c").roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//http single
http.httpBasic().and().authorizeRequests()
.antMatchers("/index.html", "/home.html", "/login.html", "/", "/**").permitAll().anyRequest()
.authenticated().and().csrf()
.csrfTokenRepository(csrfTokenRepository()).and()
.addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
}
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
my angular service 我的角度服务
.config(function($stateProvider, $httpProvider) {
$httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
})
.factory('sessionService', function($http, $base64, $q, $rootScope) {
var session = {};
session.login = function(credentials) {
var defered = $q.defer();
var promise = defered.promise;
var headers = credentials ? { authorization : "Basic "
+ btoa(credentials.username + ":"
+ credentials.password)
} : {};
$http.get('/user', {
headers : headers
}).success(function(data) {
if (data.name) {
$rootScope.authenticated = true;
defered.resolve(data);
} else {
$rootScope.authenticated = false;
defered.reject(data);
}
}).error(function(data) {
$rootScope.authenticated = false;
defered.reject(data);
});
and this is the UserController 这是UserController
@RestController
public class UserCntroller {
@RequestMapping("/user")
public Principal user (Principal user){
return user;
}
The request method in your screenshot seems to be GET, so CSRF shouldn't be blocking it. 屏幕快照中的request方法似乎是GET,因此CSRF不应阻止它。 I suspect something else, like you are trying to access the URL (/user) without first authenticating properly. 我怀疑还有其他情况,例如您在未先进行正确身份验证的情况下尝试访问URL(/用户)。 Maybe you could include "/user"
in the antMatchers(...).permitAll()
and see what happens. 也许您可以在antMatchers(...).permitAll()
包含"/user"
,然后看看会发生什么。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.