java 发布后 Spring Security Access 被拒绝 403
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/31027882/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security Access denied 403 after post
提问by Lucas Freitas
I've tried almost everything in the others posts about it, nothing is related with my problem.
我已经尝试了其他帖子中关于它的几乎所有内容,与我的问题无关。
If I try to recover my URL via GET (ex: path/users/edit/1 ) everything works fine and I get redirected to the user edit page, but If I try to access this page via POST, the spring security deny my access to the page.
如果我尝试通过 GET 恢复我的 URL(例如: path/users/edit/1 )一切正常并且我被重定向到用户编辑页面,但是如果我尝试通过 POST 访问此页面,spring security 会拒绝我的访问到页面。
Both of the methods are mapped in my controller class.
这两种方法都映射在我的控制器类中。
@RequestMapping(value="/users/edit/{id}", method={RequestMethod.POST,RequestMethod.GET})
public ModelAndView login(ModelAndView model, @PathVariable("id") int id ) {
model.addObject("user", this.userService.getUserById(id));
model.setViewName("/users/add"); //add.jsp
return model;
}
My form which I use post
我使用 post 的表单
<f:form method="post" action="/users/edit/${user.id}">
<button type="submit">Edit</button>
</f:form>
Spring security.xml
弹簧安全.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/secure**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/secure/users**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/denied" />
<form-login
login-page="/home"
default-target-url="/secure"
authentication-failure-url="/home?error"
username-parameter="inputEmail"
password-parameter="inputPassword" />
<logout logout-success-url="/home?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<password-encoder hash="md5" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"SELECT login, senha, ativo
FROM usuarios
WHERE login = ?"
authorities-by-username-query=
"SELECT u.login, r.role
FROM usuarios_roles r, usuarios u
WHERE u.id = r.usuario_id
AND u.login = ?" />
</authentication-provider>
</authentication-manager>
回答by ikumen
I noticed you're using csrf protection, which by default protects any HTTP verb that modifies a resource (e.g. PUT, POST, DELETE,...). If you're using Spring's form tag, a csrf token should be automatically included as a hidden input in your form. You should check the source in your browser to verify the csrf token is there, otherwise you'll need something like this:
我注意到您正在使用 csrf 保护,它默认保护任何修改资源的 HTTP 动词(例如 PUT、POST、DELETE 等)。如果您使用的是 Spring 的 form 标签,csrf 令牌应该作为隐藏输入自动包含在您的表单中。您应该检查浏览器中的源代码以验证 csrf 令牌是否存在,否则您将需要如下内容:
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
You can read more about csrf protection/configurationin Spring reference.
您可以在 Spring 参考中阅读有关csrf 保护/配置的更多信息。
回答by Ahmad Al-Kurdi
You can simply use <sec:csrfInput/>tag as the following :
您可以简单地使用<sec:csrfInput/>标签如下:
<f:form method="post" action="/users/edit/${user.id}">
<button type="submit">Edit</button>
<sec:csrfInput/>
</f:form>
And please make sure to import spring security tags
并且请确保导入 spring 安全标签
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>
回答by Grant Murphy
I know this is an old post but I want to post in case anyone comes across this while searching like I did.
我知道这是一篇旧帖子,但我想发布以防万一有人像我一样在搜索时遇到这个问题。
Make sure you have the proper annotations on the class that extends WebSecurityConfigurerAdapter
确保在扩展的类上有正确的注释 WebSecurityConfigurerAdapter
@Configuration
@Configuration
@EnableWebSecurity
@EnableWebSecurity
I had missed these and spent a few hours working on a problem that did not exist.
我错过了这些并花了几个小时来解决一个不存在的问题。
