0

我有一个使用 Spring Security 的 Spring Boot Web 应用程序。index.html 页面包含对控制器的方法调用 (POST),该控制器将对象从 MongoDB 加载到 ArrayList 中并返回它,以便它可以显示在首页上。

似乎 Spring Security 正在阻止匿名用户的 POST 请求。如果我第一次登录所以调用“/loadContent”方法,然后注销,一切正常。在调用该方法之前,我确实传递了 CSRF 令牌。

我的“网络安全配置”:

protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/", "/loadContent")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .logout()
            .permitAll()
            .and()
            .exceptionHandling()
            .accessDeniedPage("/403");
}
4

2 回答 2

0

CSRF is enabled by default in spring security.

A possible solution is to disable it manually (see last line in code below).

protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/", "/loadContent")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .logout()
            .permitAll()
            .and()
            .exceptionHandling()
            .accessDeniedPage("/403")
            .and().csrf().disable();
}

Update:

If you want to use csrf, which I encourage, maybe think about securing an additional REST endpoint e.g. starting with /api/.

In the example below these endpoints are secured using Basic Authorization with a user called api, but you can easily change it to allow anonymous users to request to resources:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
     @Autowired
     public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("api").password("api").roles("API").and()
                .withUser("user").password("user").roles("USER").and()
                .withUser("admin").password("admin").roles("USER", "API", "ADMIN");
     }

     @Configuration
     @Order(1) // higher order = lower priority
     public static class ApiWebSecurityConfig extends WebSecurityConfigurerAdapter{

         @Override
         protected void configure(HttpSecurity http) throws Exception {
            // no csrf when communicating directly with the backend api
             http
                 .antMatcher("/api/**")
                     .authorizeRequests()
                         .anyRequest().hasAnyRole("API")
                         .and()
                 .httpBasic()
                 .and()
                 .csrf().disable();
             http.sessionManagement().disable();

         }
     }

     @Configuration
     @Order(2) // higher order = lower priority
     public static class UIWebSecurityConfig extends WebSecurityConfigurerAdapter {
       @Override
        protected void configure(HttpSecurity http) throws Exception {
           http.authorizeRequests() 
                .antMatchers("/**").hasAnyRole("USER", "ADMIN").anyRequest().authenticated();

           http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
           http.httpBasic().disable();
        }
     }
}
于 2017-10-24T09:01:05.177 回答
0

变成了控制器的@RequestMapping 区域中的错字。非常感谢你的协助。

于 2017-10-24T16:06:17.870 回答