spring 弹簧安全403错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19468209/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
spring security 403 error
提问by ken
I'm trying to secure my website using Spring security following the guides on the web. So on my server side the WebSecurityConfigurerAdapter and controller looks like this
我正在尝试按照网络上的指南使用 Spring 安全保护我的网站。所以在我的服务器端,WebSecurityConfigurerAdapter 和控制器看起来像这样
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
implements ApplicationContextAware {
@Override
protected void registerAuthentication(AuthenticationManagerBuilde r authManagerBuilder) throws Exception {
authManagerBuilder.inMemoryAuthentication()
.withUser("user").password("password").roles("ADMI N");
}
}
@Controller
//@RequestMapping("/course")
public class CourseController implements ApplicationContextAware{
@RequestMapping(value="/course", method = RequestMethod.GET, produces="application/json")
public @ResponseBody List<Course> get(// The critirion used to find.
@RequestParam(value="what", required=true) String what,
@RequestParam(value="value", required=true) String value) {
//.....
}
@RequestMapping(value="/course", method = RequestMethod.POST, produces="application/json")
public List<Course> upload(@RequestBody Course[] cs) {
}
}
What confused me very much is the server does not respond to the POST/DELETE method, while the GET method works fine. BTW, I'm using RestTemplate on the client side. Exceptions are:
让我非常困惑的是服务器不响应 POST/DELETE 方法,而 GET 方法工作正常。顺便说一句,我在客户端使用 RestTemplate。例外情况是:
Exception in thread "main" org.springframework.web.client.HttpClientErrorException: 403 Forbidden
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
at org.springframework.web.client.RestTemplate.handleResponseError(RestTemplate.java:574)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:530)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:487)
at org.springframework.web.client.RestTemplate.delete(RestTemplate.java:385)
at hello.Application.createRestTemplate(Application.java:149)
at hello.Application.main(Application.java:99)
I've searched the internet for days. Still don't have a clue. Please help. Thanks so much
我已经在互联网上搜索了几天。还是没有头绪。请帮忙。非常感谢
回答by Rob Winch
The issue is likely due to CSRF protection. If users will not be using your application in a web browser, then it is safe to disable CSRFprotection. Otherwise you should ensure to include the CSRF token in the request.
该问题可能是由于CSRF 保护造成的。如果用户不会在 Web 浏览器中使用您的应用程序,则禁用 CSRF保护是安全的。否则,您应该确保在请求中包含 CSRF 令牌。
To disable CSRF protectionyou can use the following:
要禁用 CSRF 保护,您可以使用以下命令:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig
extends WebSecurityConfigurerAdapter implements ApplicationContextAware {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.csrf().disable();
}
@Override
protected void registerAuthentication(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
authManagerBuilder
.inMemoryAuthentication()
.withUser("user").password("password").roles("ADMIN");
}
}
回答by Manas Ranjan Mahapatra
Check your token which you are sending through 'Header' and also query in your database for the same token whether that token exist or not.
检查您通过“标题”发送的令牌,并在您的数据库中查询相同的令牌是否存在该令牌。
Note: The above is applicable only in case you are using Spring Boot token authentication mechanism.
注意:以上仅适用于使用 Spring Boot 令牌身份验证机制的情况。
