使用spring security和angular js登錄返回403

Question

我正在學習spring和angularjs。 我正在嘗試按照此指南進行登錄spring-security-angular / single

這是我的SecurityConfig

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("a").password("a").roles("ADMIN");
        auth.inMemoryAuthentication().withUser("b").password("b").roles("USER");
        auth.inMemoryAuthentication().withUser("c").password("c").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //http single
        http.httpBasic().and().authorizeRequests()
                .antMatchers("/index.html", "/home.html", "/login.html", "/", "/**").permitAll().anyRequest()
                .authenticated().and().csrf()
                .csrfTokenRepository(csrfTokenRepository()).and()
                .addFilterAfter(csrfHeaderFilter(), CsrfFilter.class);
    }

    private Filter csrfHeaderFilter() {
        return new OncePerRequestFilter() {
            @Override
            protected void doFilterInternal(HttpServletRequest request,
                                            HttpServletResponse response, FilterChain filterChain)
                    throws ServletException, IOException {
                CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
                        .getName());
                if (csrf != null) {
                    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
                    String token = csrf.getToken();
                    if (cookie == null || token != null
                            && !token.equals(cookie.getValue())) {
                        cookie = new Cookie("XSRF-TOKEN", token);
                        cookie.setPath("/");
                        response.addCookie(cookie);
                    }
                }
                filterChain.doFilter(request, response);
            }
        };
    }

    private CsrfTokenRepository csrfTokenRepository() {
        HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
        repository.setHeaderName("X-XSRF-TOKEN");
        return repository;
    }

我的角度服務

    .config(function($stateProvider, $httpProvider) {

        $httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
    })
    .factory('sessionService', function($http, $base64, $q, $rootScope) {
        var session = {};

        session.login = function(credentials) {
            var defered = $q.defer();
            var promise = defered.promise;

            var headers = credentials ? {  authorization : "Basic "
                + btoa(credentials.username + ":"
                    + credentials.password)
            } : {};

            $http.get('/user', {
                headers : headers
            }).success(function(data) {
                if (data.name) {
                    $rootScope.authenticated = true;
                    defered.resolve(data);
                } else {
                    $rootScope.authenticated = false;
                    defered.reject(data);
                }

            }).error(function(data) {
                $rootScope.authenticated = false;
                defered.reject(data);
            });

這是UserController

    @RestController
    public class UserCntroller {

        @RequestMapping("/user")
        public Principal user (Principal user){
            return user;
        }

但是登錄時得到403。

Answer 1

屏幕快照中的request方法似乎是GET，因此CSRF不應阻止它。 我懷疑還有其他情況，例如您在未先進行正確身份驗證的情況下嘗試訪問URL（/用戶）。 也許您可以在antMatchers(...).permitAll()包含"/user" ，然后看看會發生什么。