堆棧內存溢出
  簡體   English   中英

Spring Security吃AngularJS POST請求

[英]Spring security eating angularjs POST request

 原文  2015-10-11 01:17:49       java/ angularjs/ spring/ spring-mvc/ spring-security

問題描述

在使用spring security自定義登錄表單時,我從UI傳遞的參數無法在HttpServletRequest中訪問。 

class StatelessLoginFilter extends AbstractAuthenticationProcessingFilter {

    private final TokenAuthenticationService tokenAuthenticationService;
    private final CustomJDBCDaoImpl userDetailsService;

    protected StatelessLoginFilter(String urlMapping, TokenAuthenticationService tokenAuthenticationService,
            CustomJDBCDaoImpl userDetailsService, AuthenticationManager authManager) {
        super(new AntPathRequestMatcher(urlMapping));
        this.userDetailsService = userDetailsService;
        this.tokenAuthenticationService = tokenAuthenticationService;
        setAuthenticationManager(authManager);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
            throws AuthenticationException, IOException, ServletException {

                final UsernamePasswordAuthenticationToken loginToken = new UsernamePasswordAuthenticationToken(
                request.getAttribute("email").toString(), request.getAttribute("password").toString());
        return getAuthenticationManager().authenticate(loginToken);
    }

    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
            FilterChain chain, Authentication authentication) throws IOException, ServletException {

        final UserDetails authenticatedUser = userDetailsService.loadUserByUsername(authentication.getName());
        final UserAuthentication userAuthentication = new UserAuthentication(authenticatedUser);

        tokenAuthenticationService.addAuthentication(response, userAuthentication);
        SecurityContextHolder.getContext().setAuthentication(userAuthentication);
    }
}

在AttemptAuthentication方法中,請求未使用以下代碼從POST請求傳遞的屬性: 

 var request = $http.post('/verifyUser', 
       {email: 'user', password: 'user',_csrf: $cookies['XSRF-TOKEN']})

我嘗試使用調試器控制台對其進行跟蹤,發現有效負載中填充了我轉發的元素。

{“電子郵件”:“用戶”,“密碼”:“用戶”,“ _ csrf”:“ f1d88246-28a0-4e64-a988-def4cafa5004”}

我的安全配置是: 

http
                .exceptionHandling().and()
                .anonymous().and()
                .servletApi().and()
                .headers().cacheControl().and()
                .authorizeRequests()

                //allow anonymous resource requests
                .antMatchers("/").permitAll()               
                //allow anonymous POSTs to login
                .antMatchers(HttpMethod.POST, "/verifyUser").permitAll()
                .and()
                  .formLogin().loginPage("/signin")
                .permitAll()
                .and()

                .addFilterBefore(new StatelessLoginFilter("/verifyUser", new TokenAuthenticationService("456abc"), new CustomJDBCDaoImpl() , authenticationManager()), UsernamePasswordAuthenticationFilter.class)


                .addFilterBefore(new StatelessAuthenticationFilter(new TokenAuthenticationService("456abc")), UsernamePasswordAuthenticationFilter.class).httpBasic()
                         .and().csrf().disable().addFilterBefore(new CSRFFilter(), CsrfFilter.class);

編輯#1

我也嘗試使用getParameter(“ email”)代替getAttribute(“ email”),但是,整個參數映射在這一點上也是空的。

編輯#2:添加請求內容 

Remote Address:127.0.0.1:80
Request URL:http://localhost/api/verifyUser/
Request Method:POST
Status Code:502 Bad Gateway
Response Headers
view source
Connection:keep-alive
Content-Length:583
Content-Type:text/html
Date:Sun, 11 Oct 2015 17:23:24 GMT
Server:nginx/1.6.2 (Ubuntu)
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:81
Content-Type:application/x-www-form-urlencoded
Cookie:XSRF-TOKEN=f1d88246-28a0-4e64-a988-def4cafa5004
Host:localhost
Origin:http://localhost
Referer:http://localhost/ui/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
X-XSRF-TOKEN:f1d88246-28a0-4e64-a988-def4cafa5004
Form Data
view source
view URL encoded
{"email":"user","password":"user"}:

1 個解決方案

解決方案1
 0 已采納  2015-10-11 06:45:43

所需的emailpassword數據是參數,而不是屬性。 ServletRequest中的屬性是僅服務器端的數據,您可以在應用程序中使用它們在類之間或JSP之間傳遞數據。

注意:您必須使用內容類型application/x-www-form-urlencoded ,並確保請求主體的編碼格式正確,才能在服務器端使用getParameter ,例如email=user&password=user

默認情況下,Angular將對象編碼為JSON

轉換請求和響應

Angular提供以下默認轉換:

請求轉換($ httpProvider.defaults.transformRequest和$ http.defaults.transformRequest):

如果請求配置對象的data屬性包含一個對象,則將其序列化為JSON格式。

另請參閱如何在AngularJS中使用$ http發布urlencode表單數據?

getAttribute()和getParameter()之間的區別

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 Spring Security + angularjs Ajax發布 AngularJS + Spring Security-如何在POST請求中設置CSRF令牌? Spring Security 4.0.1請求方法'POST'不支持 Spring Security不支持請求方法“ POST” 如何使用Spring Security和RESTful進行POST請求? Spring Boot安全請求方法'POST'不受支持 不支持請求方法“POST” Spring 安全 "Spring Security - 不支持 405 請求方法“POST”" Spring POST請求顯示具有彈簧安全性的404錯誤頁面 405 - 不支持請求方法“POST” Spring MVC + Spring 安全
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM