Java 禁止使用Tomcat 9中的POST请求启动弹簧403
我是spring boot的新手,正在创建一个web应用程序。我绕过了没有JWT令牌身份验证的“/auth/login”URL 我已经创建了一个控制器来处理登录请求并给出响应 当我在本地使用URL调用带有URL的web服务时Java 禁止使用Tomcat 9中的POST请求启动弹簧403,java,spring,spring-boot,spring-security,spring-security-rest,Java,Spring,Spring Boot,Spring Security,Spring Security Rest,我是spring boot的新手,正在创建一个web应用程序。我绕过了没有JWT令牌身份验证的“/auth/login”URL 我已经创建了一个控制器来处理登录请求并给出响应 当我在本地使用URL调用带有URL的web服务时 http://localhost:9505/auth/login带车身参数 { "username":"abcd@g.l", "password" : "newPassword" } 它工作正常,不检查令牌,但当我导出它并创建WAR文件并部署到服务器上时,
http://localhost:9505/auth/login
带车身参数
{
"username":"abcd@g.l",
"password" : "newPassword"
}
它工作正常,不检查令牌,但当我导出它并创建WAR文件并部署到服务器上时,它会给我403禁止的错误
下面是我在Tomcat9服务器上部署后用来调用API的URL
http://localhost:9505/myapplicationame/auth/login
你能告诉我有什么问题吗
下面是我的安全配置方法
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("SecurityConfig => configure : Configure in SecurityConfig");
logger.info("http Request Path : ");
logger.info("servletContext.getContextPath()) : " + servletContext.getContextPath());
http
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/auth/**")
.permitAll()
.antMatchers("/auth/login")
.permitAll()
.antMatchers("/permissions")
.permitAll()
.anyRequest()
.authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
下面是我的过滤类
@Configuration
@CrossOrigin
@EnableWebSecurity
@EnableMBeanExport(registration=RegistrationPolicy.IGNORE_EXISTING)
@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true)
@Order(SecurityProperties.IGNORED_ORDER)
public class JwtAuthenticationFilter extends OncePerRequestFilter {
@Autowired
JwtTokenProvider tokenProvider;
@Autowired
CustomUserDetailsService customUserDetailsService;
@Autowired
AdminPermissionRepository adminPermissionRepository;
@Autowired
PermissionMasterRepository permissionMasterRepository;
@Autowired
private ServletContext servletContext;
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,
FilterChain filterChain) throws IOException, ServletException {
if (StringUtils.hasText(jwt) && isValidToken) {
// Check user email and password
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
adminDetails, null, adminDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
SecurityContextHolder.getContext().setAuthentication(authentication);
logger.info("Before finish doFilterInternal");
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
/**
* To get JWT token from the request
*
* @param httpServletRequest
* @return String
*/
private String getJwtFromRequest(HttpServletRequest httpServletRequest) {
logger.info("JwtAuthenticationFilter => getJwtFromRequest");
String bearerToken = httpServletRequest.getHeader("Authorization");
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")) {
logger.info("Have token");
return bearerToken.substring(7, bearerToken.length());
}
logger.info("Does not have token");
return null;
}
}
下面是我的控制器
@RestController
@Transactional(rollbackFor=Exception.class)
public class AuthController {
@PostMapping("/auth/login")
ResponseEntity login(@Valid @RequestBody LoginRequest request)
throws DisabledException, InternalAuthenticationServiceException, BadCredentialsException {
// My logic
return ResponseEntity.ok();
}
}
尝试向类中添加以下注释
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ServletContext servletContext;
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("SecurityConfig => configure : Configure in SecurityConfig");
logger.info("http Request Path : ");
logger.info("servletContext.getContextPath()) : " + servletContext.getContextPath());
http
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/auth/**")
.permitAll()
.antMatchers("/auth/login")
.permitAll()
.antMatchers("/permissions")
.permitAll()
.anyRequest()
.authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
尝试向类中添加以下注释
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private ServletContext servletContext;
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("SecurityConfig => configure : Configure in SecurityConfig");
logger.info("http Request Path : ");
logger.info("servletContext.getContextPath()) : " + servletContext.getContextPath());
http
.csrf()
.disable()
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/",
"/favicon.ico",
"/**/*.png",
"/**/*.gif",
"/**/*.svg",
"/**/*.jpg",
"/**/*.html",
"/**/*.css",
"/**/*.js")
.permitAll()
.antMatchers("/auth/**")
.permitAll()
.antMatchers("/auth/login")
.permitAll()
.antMatchers("/permissions")
.permitAll()
.anyRequest()
.authenticated();
// Add our custom JWT security filter
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
问题在于我的tomcat服务器中的COR 我已经对下面的代码进行了注释,它是有效的
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://localhost:9505, http://localhost, www.mydomain.io, http://mydomain.io, mydomain.io</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
克斯菲尔特
org.apache.catalina.filters.CorsFilter
科尔斯
http://localhost:9505, http://localhost,www.mydomain.io,http://mydomain.io,mydomain.io
克斯菲尔特
/*
谢谢问题在于我的tomcat服务器中的COR 我已经对下面的代码进行了注释,它是有效的
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.origins</param-name>
<param-value>http://localhost:9505, http://localhost, www.mydomain.io, http://mydomain.io, mydomain.io</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
克斯菲尔特
org.apache.catalina.filters.CorsFilter
科尔斯
http://localhost:9505, http://localhost,www.mydomain.io,http://mydomain.io,mydomain.io
克斯菲尔特
/*
谢谢是的,我也尝试过这种方法,但仍然不起作用。我在问题中添加了serverlet上下文路径。感谢您的回复请尝试向您的安全类添加批注。我也尝试过使用批注,但仍然遇到相同的错误。我已经更新了代码alsoYes,我也尝试过这种方法,但仍然不起作用。我在问题中添加了serverlet上下文路径。感谢您的回复请尝试向您的安全类添加批注。我也尝试过使用批注,但仍然遇到相同的错误。我还更新了代码。引发此异常的一点是filterChain.doFilter()。我认为您在发出请求时遗漏了jwt负载中的一些信息,请仔细检查它们是否存在,用户名、sub、过期时间、作用域。我已全局处理异常,因此我认为它不会生成异常。引发此异常的一点是filterChain.doFilter()。我认为您在发出请求时遗漏了jwt负载中的一些信息,请仔细检查它们是否存在,用户名、sub、过期时间、范围。我已全局处理异常,因此我认为它不会生成异常。我还必须添加
corscoConfiguration.setAllowedOriginations(“*”)代码>用于FF。即使从同一个域访问,对js.maps的请求也返回403代码>用于FF。即使从同一个域访问,对js.maps的请求也返回403。