Java Spring security 403对POST\PUT\DELETE的响应
我正试图在spring上获得一些基于角色的授权,但在POST\PUT\DELETE请求上遇到403个响应问题。我一直在其他地方寻找解决方案,但提供的禁用csrf的解决方案无法解决问题。 这是我的HTTP配置:Java Spring security 403对POST\PUT\DELETE的响应,java,spring,rest,spring-boot,Java,Spring,Rest,Spring Boot,我正试图在spring上获得一些基于角色的授权,但在POST\PUT\DELETE请求上遇到403个响应问题。我一直在其他地方寻找解决方案,但提供的禁用csrf的解决方案无法解决问题。 这是我的HTTP配置: @Override protected void configure(HttpSecurity http) throws Exception { http .httpBasic() .and() .autho
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.httpBasic()
.and()
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/**").hasAnyRole("ROLE_TRAINER", "ROLE_ADMIN")
.antMatchers(HttpMethod.PATCH, "/user/**").hasAnyRole("ROLE_TRAINER", "ROLE_ADMIN")
.antMatchers(HttpMethod.PUT, "/**").hasAnyRole("ROLE_TRAINER", "ROLE_ADMIN")
.antMatchers(HttpMethod.POST, "/**").hasAnyRole("ROLE_TRAINER", "ROLE_ADMIN")
.antMatchers(HttpMethod.DELETE,"/**").hasAnyRole("ROLE_TRAINER", "ROLE_ADMIN")
.anyRequest().authenticated()
.and()
.csrf().disable()
.formLogin().permitAll()
.and()
.logout().permitAll();
}
调试代码时,只有GET请求使程序通过UserDetails对象来提供角色集合(定义如下)
基于csrf的问题,我在配置中添加了以下代码:
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
// Token is being added to the XSRF-TOKEN cookie.
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
并尝试移除antMatchers,只需认证I:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.and()
.csrf().csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class); // Register csrf filter.
}
你知道为什么会有这种行为吗 您在
role\u客户机上尝试请求的角色是否为?因为GET和PUT之间的唯一区别是ant匹配中的/
,不同的角色我更改了代码,因此预期的角色和url模式没有差异。问题依然存在。仍然不明白,为什么我的代码只在GET请求中调用getRoles()方法,而在其他请求中不调用getRoles()方法?除了“响应代码”,您还可以查看“响应消息”?如果您使用的是浏览器,可能是webconsole-->网络选项卡?我使用的是邮递员,在那里我刚刚收到禁止的消息。而且,具有不合格角色的用户具有请求访问权限也很奇怪。例如,我尝试使用一个仅具有客户端角色的用户,但仍然得到get请求的有效响应。
private Filter csrfHeaderFilter() {
return new OncePerRequestFilter() {
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
if (csrf != null) {
Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
String token = csrf.getToken();
if (cookie == null || token != null
&& !token.equals(cookie.getValue())) {
// Token is being added to the XSRF-TOKEN cookie.
cookie = new Cookie("XSRF-TOKEN", token);
cookie.setPath("/");
response.addCookie(cookie);
}
}
filterChain.doFilter(request, response);
}
};
}
private CsrfTokenRepository csrfTokenRepository() {
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.and()
.csrf().csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(csrfHeaderFilter(), SessionManagementFilter.class); // Register csrf filter.
}