Java 春季安全405_Java_Spring_Spring Mvc

Java 春季安全405

java spring spring-mvc

Java 春季安全405,java,spring,spring-mvc,Java,Spring,Spring Mvc,我的spring应用程序有以下配置： @Configuration @EnableWebSecurity public class MultipleHttpSecurityConfig { @Autowired @Qualifier("customUserDetailsService") UserDetailsService userDetailsService; @Autowired public void configureGlobalSecuri

我的spring应用程序有以下配置：

@Configuration
@EnableWebSecurity
public class MultipleHttpSecurityConfig {

    @Autowired
    @Qualifier("customUserDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService);
        auth.authenticationProvider(authenticationProvider());
    }

    @Bean
    public PlaintextPasswordEncoder passwordEncoder() {
        return new PlaintextPasswordEncoder();
    }

    @Bean
    public DaoAuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(userDetailsService);
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }

    @Bean
    public AuthenticationTrustResolver getAuthenticationTrustResolver() {
        return new AuthenticationTrustResolverImpl();
    }

    @Configuration
    @Order(1)
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

        private static String REALM="MY_REALM";

        protected void configure(HttpSecurity http) throws Exception {

            http.csrf().disable()
            .authorizeRequests()
            .antMatchers("/api/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
            .and().httpBasic().realmName(REALM).authenticationEntryPoint(getBasicAuthEntryPoint())
            .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        }

        @Bean
        public CustomBasicAuthenticationEntryPoint getBasicAuthEntryPoint(){
            return new CustomBasicAuthenticationEntryPoint();
        }
    }

    @Configuration
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        PersistentTokenRepository tokenRepository;

        @Autowired
        @Qualifier("customUserDetailsService")
        UserDetailsService userDetailsService;

        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring().antMatchers("/resources/**");
        }

        @Bean
        public PersistentTokenBasedRememberMeServices getPersistentTokenBasedRememberMeServices() {
            PersistentTokenBasedRememberMeServices tokenBasedservice = new PersistentTokenBasedRememberMeServices(
                    "remember-me", userDetailsService, tokenRepository);
            return tokenBasedservice;
        }

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests().antMatchers("/", "/index").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
                    .antMatchers("/categories", "/category/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
                    .antMatchers("/companies", "/company/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')")
                    .antMatchers("/locations", "/location/**").access("hasRole('ADMIN') or hasRole('SUPERADMIN')").and()
                    .formLogin().loginPage("/login").loginProcessingUrl("/login").usernameParameter("username")
                    .passwordParameter("password").and().rememberMe().rememberMeParameter("remember-me")
                    .tokenRepository(tokenRepository).tokenValiditySeconds(86400).and().csrf().and().exceptionHandling()
                    .accessDeniedPage("/Access_Denied");
        }
    }

}

在api url处，我得到了期望的结果。但是在Web登录时，我得到HTTP状态405-请求方法“POST”不受支持。有什么想法吗

Spring框架是：4.3.7.0版本 Spring安全性：4.2.2.1版本 DePub是：

   2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/login'; against '/resources/**'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-04-11 19:30:12 DEBUG HstsHeaderWriter:130 - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatch
er@9f37d03
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', GET]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:137 - Request 'POST /login' doesn't match 'GET /logout
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', POST]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/login'; against '/logout'
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', PUT]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:137 - Request 'POST /login' doesn't match 'PUT /logout
2017-04-11 19:30:12 DEBUG OrRequestMatcher:65 - Trying to match using Ant [pattern='/logout', DELETE]
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:137 - Request 'POST /login' doesn't match 'DELETE /logout
2017-04-11 19:30:12 DEBUG OrRequestMatcher:72 - No matches found
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2017-04-11 19:30:12 DEBUG AnonymousAuthenticationFilter:100 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6fa90ed4:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; Session
Id: B6EBB4A5A07FDC44D8E19748CE6D5E5E; Granted Authorities: ROLE_ANONYMOUS'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-04-11 19:30:12 DEBUG FilterChainProxy:325 - /login at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-04-11 19:30:12 DEBUG AntPathRequestMatcher:157 - Checking match of request : '/login'; against '/api/**'
2017-04-11 19:30:12 DEBUG FilterSecurityInterceptor:210 - Public object - authentication not attempted
2017-04-11 19:30:12 DEBUG FilterChainProxy:310 - /login reached end of additional filter chain; proceeding with original chain
2017-04-11 19:30:12 DEBUG DispatcherServlet:865 - DispatcherServlet with name 'dispatcher' processing POST request for [/HeliosCMS/login]
2017-04-11 19:30:12 DEBUG RequestMappingHandlerMapping:310 - Looking up handler method for path /login
2017-04-11 19:30:12 DEBUG ExceptionHandlerExceptionResolver:133 - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not sup
ported
2017-04-11 19:30:12 DEBUG ResponseStatusExceptionResolver:133 - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not suppo
rted
2017-04-11 19:30:12 DEBUG DefaultHandlerExceptionResolver:133 - Resolving exception from handler [null]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not suppo
rted
2017-04-11 19:30:12 WARN  PageNotFound:215 - Request method 'POST' not supported
2017-04-11 19:30:12 DEBUG DispatcherServlet:1044 - Null ModelAndView returned to DispatcherServlet with name 'dispatcher': assuming HandlerAdapter completed request handling
2017-04-11 19:30:12 DEBUG DispatcherServlet:1000 - Successfully completed request
2017-04-11 19:30:12 DEBUG ExceptionTranslationFilter:116 - Chain processed normally
2017-04-11 19:30:12 DEBUG SecurityContextPersistenceFilter:119 - SecurityContextHolder now cleared, as request processing completed

这可能是映射问题，因为

/login

页面由API处理程序处理，因此POST永远不会到达登录控制器

哪个是api处理程序的映射？它应该是

/api/*

，而不是

或

/*

如果为配置API模块而将AbstractDispatcherServletInitializer子类化，则应该有如下内容：

       @Override
       protected String[] getServletMappings() {
        return new String[] { "/api/*" };
       }

如果这不是问题所在，我认为，阅读日志时，没有找到

/login

的处理程序，因此您应该调查映射。也许API映射足够严格，但web映射不是

。很难说没有看到配置

您是否在GET中看到了

/login

？

ant matcher/login与配置中的任何模式都不匹配

我猜在这个配置中，直接请求“/”可能会导致您的登录页面

您确定要发布到的/HeliosCMS/login URL正确吗？您的配置中没有任何其他内容提到此应用程序根，因此根据您的配置，我希望dispatcher尝试匹配/login模式，而不是/HeliosCMS/login

2017-04-11 19:30:12 DEBUG DispatcherServlet:865 - DispatcherServlet with name 'dispatcher' processing POST request for [/HeliosCMS/login]

我认为您需要从ApiWebSecurity配置适配器类的筛选中排除“/login”url是的，我可以在GET中看到/login。您需要哪种配置？您使用的AbstractDispatcherServletInitializer子类？我认为情况与此相似，因为有两个映射器api/web，但您会看到。。。就像这个问题的另一个答案一样，我没有看到一个叫我的处理程序。我会看一看，然后提供反馈。