Java 春季保安阻断公共休息服务
我对Spring Security和我的公共休息服务有点问题(只有我使用POST) 我的RestController是:Java 春季保安阻断公共休息服务,java,spring,rest,spring-security,spring-boot,Java,Spring,Rest,Spring Security,Spring Boot,我对Spring Security和我的公共休息服务有点问题(只有我使用POST) 我的RestController是: @RestController @RequestMapping(value="/public/rest/status") Public class DoSomeThing { @RequestMapping(method=RequestMethod.GET) public String getStatus(){ return "OK";
@RestController
@RequestMapping(value="/public/rest/status")
Public class DoSomeThing {
@RequestMapping(method=RequestMethod.GET)
public String getStatus(){
return "OK";
}
@RequestMapping(method=RequestMethod.POST)
public String setON(){
return "Done";
}
}
我的春季安全是:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private LogoutHandler logoutHandler;
@Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private AccessDeniedHandler accessDeniedHandler;
@Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/error/**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/adm/**").hasAnyRole(Role.ROOT,Role.ADM)
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.defaultSuccessUrl("/home",true)
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/login")
.permitAll()
.addLogoutHandler(logoutHandler)
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler);
}
}
当我尝试通过“完全正常”访问我的Rest服务时:
$curl -i -X GET localhost:8080/public/rest/status
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;charset=UTF-8
Content-Length: 2
Date: Sun, 10 Jan 2016 05:23:10 GMT
但当我尝试使用POST时,其余的都是否定的
$curl -i -X POST localhost:8080/public/rest/status
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=57387564970B157C03310B6DAFE8E82B; Path=/; HttpOnly
Location: /error/denied
Content-Length: 0
Date: Sun, 10 Jan 2016 05:23:26 GMT
我如何授予对所有REST服务的访问权(POST和GET)?当您使用Java Config for spring security时,默认情况下
CSRF
保护处于启用状态。您应该为POST
请求提供CSRF
令牌,或者通过添加此配置来禁用它:
http
...
.and()
.csrf().disable();
当您使用Java Config for spring security时,默认情况下,
CSRF
保护为ON
。您应该为POST
请求提供CSRF
令牌,或者通过添加此配置来禁用它:
http
...
.and()
.csrf().disable();
谢谢你的建议,工作很好 测试此建议后,我使用以下代码修改了WebSecurity配置类:
and().csrf().ignoringAntMatchers("/public/**") ...
使用此指令,spring安全性将仅禁用我的公共映射 谢谢你的建议,工作很好 测试此建议后,我使用以下代码修改了WebSecurity配置类:
and().csrf().ignoringAntMatchers("/public/**") ...
使用此指令,spring安全性将仅禁用我的公共映射