[英]Spring Security- Allows GET but not POST
我正在構建一個簡單的應用程序,並且對Spring Security還是陌生的,所以請多多包涵。 但是無論如何,我有一個RESTful應用程序,它需要一些信息並將信息顯示到表中。 在實施Spring Security之前,一切正常。 但是現在我只能登錄該應用程序,而無法使用其余功能。 AJAX最初獲取我表的所有信息,並且工作正常,但是當我將數據發布到數據庫時,它返回403 FORBIDDEN。
這是我的security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<cors />
<intercept-url pattern="/**" access="hasRole('ADMIN')" />
<intercept-url method="POST" pattern="/TAS/students" access="hasRole('ADMIN')" />
<form-login />
<logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailService"/>
</authentication-manager>
</beans:beans>
這是我的Spring配置servlet
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation=
"http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<annotation-driven />
<resources mapping="/resources/**" location="/resources/" />
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix">
<beans:value>/WEB-INF/views/jsp/</beans:value>
</beans:property>
<beans:property name="suffix">
<beans:value>.jsp</beans:value>
</beans:property>
</beans:bean>
<mvc:default-servlet-handler/>
<beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close">
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
<beans:property name="url"
value="jdbc:mysql://localhost:3306/tds_mock" />
<beans:property name="username" value="blahblah" />
<beans:property name="password" value="blahblah" />
</beans:bean>
<!-- Hibernate 4 SessionFactory Bean definition -->
<beans:bean id="hibernate5AnnotatedSessionFactory"
class="org.springframework.orm.hibernate5.LocalSessionFactoryBean">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="annotatedClasses">
<beans:list>
<beans:value>tas.web.student.Student</beans:value>
<beans:value>tas.web.user.User</beans:value>
<beans:value>tas.web.user.UserRole</beans:value>
</beans:list>
</beans:property>
<beans:property name="hibernateProperties">
<beans:props>
<beans:prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect
</beans:prop>
<beans:prop key="hibernate.show_sql">true</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
<beans:bean id="userDao" class="tas.web.user.UserDAOImp">
<beans:property name="sessionFactory"
ref="hibernate5AnnotatedSessionFactory"></beans:property>
</beans:bean>
<beans:bean id="myUserDetailService" class="tas.web.user.UserService">
<beans:property name="userDao" ref="userDao"></beans:property>
</beans:bean>
<tx:annotation-driven transaction-manager="transactionManager"/>
<beans:bean id="transactionManager"
class="org.springframework.orm.hibernate5.HibernateTransactionManager">
<beans:property name="sessionFactory"
ref="hibernate5AnnotatedSessionFactory" />
</beans:bean>
<beans:bean id="jsonMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
</beans:bean>
<context:component-scan base-package="tas.web"/>
</beans:beans>
最后是我的restcontroller
package tas.web.student;
import java.io.IOException;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import tas.web.student.StudentService;
import net.aksingh.owmjapis.CurrentWeather;
import net.aksingh.owmjapis.OpenWeatherMap;
@RestController
public class StudentController {
@Autowired
StudentService studentService;
@GetMapping(value = "/students")
public List<Student> getStudents() {
List<Student> listOfStudents = studentService.getStudents();
return listOfStudent;
}
@GetMapping(value = "/students/{studentID}")
public Student getStudentById(@PathVariable long studentID) {
return studentService.getStudent(studentID);
}
@PostMapping(value = "/students")
public Student addStudent(@RequestBody Student student) {
return studentService.addStudent(student);
}
@PutMapping(value = "/students/{studentID}")
public Student updateStudent(@PathVariable("studentID") Long studentID, @RequestBody Student student) {
return studentService.updateStudent(student);
}
@DeleteMapping(value = "/students/{studentID}")
public void deleteStudent(@PathVariable("studentID") long studentID) {
studentService.deleteStudent(studentID);
}
@GetMapping(value = "/current/{city}")
public ResponseEntity currentWeather(@PathVariable("city") String city) throws IOException{
OpenWeatherMap openWMap = new OpenWeatherMap("APIkey");
CurrentWeather currentW = openWMap.currentWeatherByCityName(city);
return new ResponseEntity(currentW, HttpStatus.OK);
}
}
我的數據庫是MySQL 5.7.3,我正在使用hibernate訪問它。 在實施Spring Security之前,一切工作正常。 如果需要其他文件,請讓我知道並提前感謝您!
在您的* .jsp中帶有“ post”形式,將這個taglib添加到文件頂部:
<%@taglib uri="http://www.springframework.org/security/tags"
prefix ="security" %>
然后在jsp的頭部添加以下內容:
<security:csrfMetaTags />
並在表單標簽中添加以下內容:
<security:csrfInput/>
您的構建中還必須具有以下依賴關系:
org.springframework.security spring-security-taglibs
Spring Security只是在做它。
你應該知道什么
Spring安全指南針對跨站點請求偽造攻擊(CSRF攻擊)提供此功能,並且默認情況下啟用此功能。 因此,既然您已經實現了spring安全性,則需要在所有表單發布和ajax post請求中傳遞CSRF令牌,以使那些請求成功執行,否則spring security將拋出AccessDeniedException並返回錯誤403作為響應。
閱讀此 Spring安全文檔,以更好地了解Spring安全CSRF功能的用途以及如何使用它。
Spring Security-如何在CustomTokenAuthenticationFilter中指定過濾器處理url
[英]Spring Security- How to specify filter processing url in CustomTokenAuthenticationFilter
Spring Security-在身份驗證失敗網址中捕獲異常
[英]spring security- catch exception inside the authentication failure url
Spring security-在休息服務中將憑據作為json而不是常規形式發送
[英]Spring security- Send credentials as json instead of regular form in rest service
Spring Security-org.springframework.beans.factory.BeanCreationException:創建名稱為'org.springframework.security.filterChains'的bean時出錯
[英]Spring security- org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.springframework.security.filterChains'
在Spring Security中,如何繞過URL的GET方法; 而不是POST之一
[英]In Spring Security, how to bypass the GET method of an URL; but not the POST one
Spring security antMatchers 未應用於 POST 請求,僅適用於 GET
[英]Spring security antMatchers not being applied on POST requests and only works with GET
啟用彈簧安全性的POST請求顯示“不支持405 GET”
[英]POST request says “405 GET not supported” with Spring security enabled
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.