spring 引导启动器安全 post 方法无效
spring boot starter security post methods not working
我已将 spring 'spring-boot-starter-security' 添加到现有的 spring 启动项目;之后 spring rest 控制器中的 post 方法无法正常工作,它显示如下错误:
o.s.web.servlet.PageNotFound : Request method 'POST' not supported
Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/authenticate
Request Method:POST
Status Code:405 Method Not Allowed
Response Headers
view source
Allow:GET, HEAD
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Type:application/json;charset=UTF-8
Date:Wed, 14 Oct 2015 05:41:06 GMT
Expires:0
Pragma:no-cache
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:47
Content-Type:application/json;charset=UTF-8
Cookie:_ga=GA1.1.630164096.1442901791; JSESSIONID=B9F1946DAE5BCA7772526CFC735616EC
Host:localhost:8080
Origin:http://localhost:8080
Referer:http://localhost:8080/
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
X-ZUMO-APPLICATION:GSECUHNQOOrCwgRHFFYLXWiViGnXNV88
Request Payload
我的控制器方法是这样的:
@RequestMapping(value="/authenticate",method = {RequestMethod.POST})
public LinkedHashMap<String,Object> authenticate(@RequestBody UserCredentials user){
LinkedHashMap<String, Object> res =new LinkedHashMap<String, Object>();
//business logic
return res;
}
pom 文件:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.dfasfa</groupId>
<artifactId>AdminDashboard</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>AdminDashboard</name>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.4.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.7</java.version>
</properties>
<dependencies>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.0.3.Final</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.21</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-jpamodelgen</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-integration</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
@Configuration
@ComponentScan
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordencoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/addService").permitAll()
.antMatchers("/app/*").permitAll()
.antMatchers("/lib/*").permitAll()
.antMatchers("/css/*").permitAll()
.antMatchers("/styles/*").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/getAllUsers").permitAll()
.anyRequest().permitAll() // for testing
.and()
// .formLogin().loginPage("/login")
.formLogin()
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/#/login")
.and()
.csrf();
}
@Bean(name="passwordEncoder")
public PasswordEncoder passwordencoder(){
return new BCryptPasswordEncoder();
}
}
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationContext;
@SpringBootApplication
public class Application {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(Application.class, args);
System.out.println("Let's inspect the beans provided by Spring Boot:");
}
}
如果我删除所有这些与安全相关的内容,代码将运行良好。我的配置有什么问题吗? .安全登录表单和所有其他功能都运行良好。但是 post 方法不起作用。
您能否深入了解 UserCredentials 对象是什么?我也看不到它张贴在请求中。
你尝试做的事反而让我想起你可以使用 @AuthenticationPrincipal 注释而不是使用 @RequestBody 发布内容.这还意味着其他一些机制。
无论如何,有两件事:
- 您想从这个控制器 return 做什么?身份验证方法中是否缺少 @ResponseBody?您可以尝试添加吗?
- 以防万一:您能否尝试强制执行控制器使用的内容类型(consumes @RequestMapping 注释的属性) 在您的请求中发送(已被提及为 application/json)
.csrf().disable() 解决了问题
与其禁用安全功能,不如搜索如何正确实施它。
http://www.baeldung.com/spring-security-csrf
简而言之,您需要为所有 POST 表单添加隐藏属性。
<input type="hidden" th:attr="name=${_csrf.parameterName},value=${_csrf.token}"/>
作为 sudeep cv ,您可以为您的应用程序禁用 CSRF
作为 user16115 ,最好不要禁用重要的安全机制。
CSRF 保护是否重要取决于您的应用程序。 Spring Boot 有一个 recommendation 用于说明何时应该或不应该包含它:
When should you use CSRF protection? Our recommendation is to use CSRF
protection for any request that could be processed by a browser by
normal users. If you are only creating a service that is used by
non-browser clients, you will likely want to disable CSRF protection.
发生此错误是因为当您将 Spring 安全性添加到您的类路径或 pom.xml 文件时,默认情况下 csrf 被启用并且您只能点击 get 方法但点击放置、post、修补和删除其余端点,您有 2 个选项:
A) 像这样禁用 csrf
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("/","/saveUser/**","/css/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
B) 从 Postman 客户端点击时包含 csrf 令牌
Please Refer this Image
我已将 spring 'spring-boot-starter-security' 添加到现有的 spring 启动项目;之后 spring rest 控制器中的 post 方法无法正常工作,它显示如下错误:
o.s.web.servlet.PageNotFound : Request method 'POST' not supported
Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/authenticate
Request Method:POST
Status Code:405 Method Not Allowed
Response Headers
view source
Allow:GET, HEAD
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Type:application/json;charset=UTF-8
Date:Wed, 14 Oct 2015 05:41:06 GMT
Expires:0
Pragma:no-cache
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:47
Content-Type:application/json;charset=UTF-8
Cookie:_ga=GA1.1.630164096.1442901791; JSESSIONID=B9F1946DAE5BCA7772526CFC735616EC
Host:localhost:8080
Origin:http://localhost:8080
Referer:http://localhost:8080/
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
X-ZUMO-APPLICATION:GSECUHNQOOrCwgRHFFYLXWiViGnXNV88
Request Payload
我的控制器方法是这样的:
@RequestMapping(value="/authenticate",method = {RequestMethod.POST})
public LinkedHashMap<String,Object> authenticate(@RequestBody UserCredentials user){
LinkedHashMap<String, Object> res =new LinkedHashMap<String, Object>();
//business logic
return res;
}
pom 文件:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.dfasfa</groupId>
<artifactId>AdminDashboard</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>AdminDashboard</name>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.4.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.7</java.version>
</properties>
<dependencies>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.0.3.Final</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.21</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-jpamodelgen</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-integration</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
@Configuration
@ComponentScan
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordencoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/addService").permitAll()
.antMatchers("/app/*").permitAll()
.antMatchers("/lib/*").permitAll()
.antMatchers("/css/*").permitAll()
.antMatchers("/styles/*").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/getAllUsers").permitAll()
.anyRequest().permitAll() // for testing
.and()
// .formLogin().loginPage("/login")
.formLogin()
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/#/login")
.and()
.csrf();
}
@Bean(name="passwordEncoder")
public PasswordEncoder passwordencoder(){
return new BCryptPasswordEncoder();
}
}
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationContext;
@SpringBootApplication
public class Application {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(Application.class, args);
System.out.println("Let's inspect the beans provided by Spring Boot:");
}
}
如果我删除所有这些与安全相关的内容,代码将运行良好。我的配置有什么问题吗? .安全登录表单和所有其他功能都运行良好。但是 post 方法不起作用。
您能否深入了解 UserCredentials 对象是什么?我也看不到它张贴在请求中。
你尝试做的事反而让我想起你可以使用 @AuthenticationPrincipal 注释而不是使用 @RequestBody 发布内容.这还意味着其他一些机制。
无论如何,有两件事:
- 您想从这个控制器 return 做什么?身份验证方法中是否缺少 @ResponseBody?您可以尝试添加吗?
- 以防万一:您能否尝试强制执行控制器使用的内容类型(consumes @RequestMapping 注释的属性) 在您的请求中发送(已被提及为 application/json)
.csrf().disable() 解决了问题
与其禁用安全功能,不如搜索如何正确实施它。 http://www.baeldung.com/spring-security-csrf
简而言之,您需要为所有 POST 表单添加隐藏属性。
<input type="hidden" th:attr="name=${_csrf.parameterName},value=${_csrf.token}"/>
作为 sudeep cv
作为 user16115
CSRF 保护是否重要取决于您的应用程序。 Spring Boot 有一个 recommendation 用于说明何时应该或不应该包含它:
When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.
发生此错误是因为当您将 Spring 安全性添加到您的类路径或 pom.xml 文件时,默认情况下 csrf 被启用并且您只能点击 get 方法但点击放置、post、修补和删除其余端点,您有 2 个选项:
A) 像这样禁用 csrf
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("/","/saveUser/**","/css/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
B) 从 Postman 客户端点击时包含 csrf 令牌
Please Refer this Image