Spring Security——”;错误:禁止“;来自rest端点的响应
我正在我的项目中设置SpringSecurity,但在访问我的一个rest端点时遇到了一些问题。当我通过客户端点击端点时,我从服务器收到一个“错误:禁止”响应 我要做的是进入登录页面(我假设此时我是一个匿名用户,角色为_anonymous),然后单击一个选项卡,显示一个创建新帐户表单 当我填写字段并点击submit时,就会调用rest端点,并将JSON数据发送到服务器。在我的安全配置中,我在下面发布了我正在使用的端点url,Spring Security——”;错误:禁止“;来自rest端点的响应,spring,spring-mvc,spring-security,spring-rest,Spring,Spring Mvc,Spring Security,Spring Rest,我正在我的项目中设置SpringSecurity,但在访问我的一个rest端点时遇到了一些问题。当我通过客户端点击端点时,我从服务器收到一个“错误:禁止”响应 我要做的是进入登录页面(我假设此时我是一个匿名用户,角色为_anonymous),然后单击一个选项卡,显示一个创建新帐户表单 当我填写字段并点击submit时,就会调用rest端点,并将JSON数据发送到服务器。在我的安全配置中,我在下面发布了我正在使用的端点url,/createUserAccount/submit,设置为与filter
/createUserAccount/submit
,设置为与filterSecurityInterceptor
bean xml中的ROLE\u ANONYMOUS和ROLE\u ADMIN角色协同工作
因为我是登录页面上的匿名用户,所以我认为点击该端点会起作用,但事实并非如此。下面是与我的问题相关的所有文件
这是我的控制器:
@Controller
@RequestMapping("/createUserAccount")
@SessionAttributes("userAccount")
public class CreateUserAccountController {
private final String loginViewName = "login";
private CreateUserAccountValidator validator;
private UserAccountManager userAccountManager;
@Autowired
public CreateUserAccountController(
@Qualifier("createUserAccountValidator") CreateUserAccountValidator validator,
@Qualifier("userAccountManager") UserAccountManager userAccountManager) {
this.validator = validator;
this.userAccountManager = userAccountManager;
}
@RequestMapping(value="/submit", method = RequestMethod.POST)
@ResponseBody
public GenericJsonDTO submitForm(@RequestBody UserAccount userAccount, BindingResult result, SessionStatus status){
JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
validator.validate(userAccount, result);
if(!result.hasErrors()) {
userAccountManager.createUserAccount(userAccount);
status.setComplete();
}
return jsonFactory.getDto();
}
}
我有我的服务器设置,所以我可以在运行时调试,我把一个断点的行
JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
查看调用/createUserAccount/submit
端点时是否输入了函数。该函数从未被输入
下面是我的安全配置。我已经开始合并ACL安全性,因此配置文件相当长。我认为问题出在http元素
或filterSecurityInterceptor
bean配置xml中。filterSecurityInterceptor
XML是定义我的URI权限的地方
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>
<http use-expressions="true">
<intercept-url pattern="/**" requires-channel="https" />
<!--<intercept-url pattern="/gravytrack/dashboard**" requires-channel="https" access="ROLE_USER"/>-->
<http-basic />
<session-management>
<concurrency-control max-sessions="10"
error-if-maximum-exceeded="true" />
</session-management>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
</http>
<beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" />
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder ref="passwordEncoder"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT email, password, enabled FROM user_account
WHERE email = ?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<util:list>
<filter-chain pattern="/images/**" filters="" />
<filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCFalse,
basicAuthenticationFilter,
basicExceptionTranslationFilter,
filterSecurityInterceptor" />
</util:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCFalse"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<!--......................-->
<!-- basic authentication -->
<!--......................-->
<beans:bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<beans:constructor-arg name="authenticationManager">
<beans:ref bean="authenticationManager" />
</beans:constructor-arg>
<beans:constructor-arg name="authenticationEntryPoint">
<beans:ref bean="basicAuthenticationEntryPoint" />
</beans:constructor-arg>
</beans:bean>
<beans:bean id="basicAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="gravytrack.com" />
</beans:bean>
<beans:bean id="basicExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:constructor-arg name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
<beans:property name="accessDeniedHandler" ref="basicAccessDeniedHandler" />
</beans:bean>
<beans:bean id="basicAccessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</beans:bean>
<!--......................-->
<!-- security -->
<!--......................-->
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource">
<filter-security-metadata-source use-expressions="false">
<intercept-url pattern="/login.jsp*"
access="ROLE_ANONYMOUS,ROLE_ADMIN" />
<intercept-url pattern="/gravytrack/createUserAccount/*"
access="ROLE_ANONYMOUS,ROLE_ADMIN" />
<intercept-url pattern="/images/**"
access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
<intercept-url pattern="/admin.htm*" access="ROLE_ADMIN" />
<intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<beans:bean id="permissionEvaluator"
class="org.springframework.security.acls.AclPermissionEvaluator">
<beans:constructor-arg ref="aclService" />
</beans:bean>
<beans:bean id="aclService"
class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
<beans:constructor-arg ref="dataSource" />
<beans:constructor-arg ref="lookupStrategy" />
<beans:constructor-arg ref="aclCache" />
<beans:property name="sidIdentityQuery"
value="SELECT max(id) FROM acl_sid" />
<beans:property name="classIdentityQuery"
value="SELECT max(id) FROM acl_class" />
<!--
<beans:property name="sidIdentityQuery"
value="select currval(pg_get_serial_sequence('acl_sid', 'id'))" />
<beans:property name="classIdentityQuery"
value="select currval(pg_get_serial_sequence('acl_class', 'id'))" />
-->
</beans:bean>
<beans:bean id="consoleAuditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
<beans:bean id="lookupStrategy"
class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<beans:constructor-arg ref="dataSource" />
<beans:constructor-arg ref="aclCache" />
<beans:constructor-arg ref="aclAuthorizationStrategy" />
<beans:constructor-arg ref="consoleAuditLogger"/>
</beans:bean>
<beans:bean id="aclAuthorizationStrategy"
class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
<beans:constructor-arg ref="consoleAuditLogger"/>
</beans:bean>
<beans:bean id="aclCache"
class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<beans:constructor-arg>
<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager">
<beans:bean
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
</beans:property>
<beans:property name="cacheName" value="aclCache" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="permissionGrantingStrategy" />
<beans:constructor-arg ref="aclAuthorizationStrategy" />
</beans:bean>
</beans:beans>
最后但并非最不重要的一点是我的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- Log4j configuration loading -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.xml</param-value>
</context-param>
<!-- Bootstrapping context loading -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/gravytrack-servlet.xml
/WEB-INF/gravytrack-services.xml
/WEB-INF/gravytrack-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>gravytrack.root</param-value>
</context-param>
<!-- session management listener -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-config>
<!-- session times out if no activities for 30 minutes -->
<session-timeout>30</session-timeout>
</session-config>
<!-- defining the DispatcherServlet -->
<servlet>
<servlet-name>gravytrack</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<!--<servlet-mapping>-->
<!--<servlet-name>gravytrack</servlet-name>-->
<!--<url-pattern>*.html</url-pattern>-->
<!--</servlet-mapping>-->
<!-- Security entry point -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- webflow -->
<!--
<servlet-mapping>
<servlet-name>soba</servlet-name>
<url-pattern>/flow/*</url-pattern>
</servlet-mapping>
-->
<!-- defining the DefaultServlet -->
<servlet>
<servlet-name>DefaultServlet</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>DefaultServlet</servlet-name>
<url-pattern>*.jpg</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DefaultServlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/notfound.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>
login.jsp
</welcome-file>
</welcome-file-list>
<!-- Spring jsp tag lib -->
<jsp-config>
<taglib>
<taglib-uri>/spring</taglib-uri>
<taglib-location>/WEB-INF/tld/spring-form.tld</taglib-location>
</taglib>
</jsp-config>
</web-app>
org.springframework.web.util.Log4jConfigListener
log4jConfigLocation
/WEB-INF/classes/log4j.xml
org.springframework.web.context.ContextLoaderListener
上下文配置位置
/WEB-INF/gravytrack-servlet.xml
/WEB-INF/gravytrack-services.xml
/WEB-INF/gravytrack-security.xml
WebApprotKey
肉根
org.springframework.security.web.session.HttpSessionEventPublisher
30
墓穴架
org.springframework.web.servlet.DispatcherServlet
1.
墓穴架
/
墓穴架
*.htm
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
DefaultServlet
org.apache.catalina.servlets.DefaultServlet
2.
DefaultServlet
*jpg先生
DefaultServlet
*.html
404
/WEB-INF/jsp/notfound.jsp
login.jsp
/弹簧
/WEB-INF/tld/spring-form.tld
我很难找出问题所在,因此非常感谢您的帮助。默认情况下,Spring security启用CSRF和每个POST请求,因为它需要CSRF令牌。 检查 您可以在配置中这样关闭CSRF以测试是否存在问题
<http auto-config="false">
<csrf disabled="true"/>
如果你不想关闭CSRF,你必须像这样发布CSRF令牌
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>