Spring安全过滤器阻止了restful api调用

时间:2015-03-21 05:37:14

标签: spring rest spring-mvc spring-security

我有一个使用Spring 4的Web应用程序。我在这里使用Spring安全性。与此同时,我需要打开一个没有安全感的宁静api。问题是在安全过滤器启用之前我的休息休息POST调用获得405方法不允许响应(仍然是GET工作)。同时服务器日志说

.11:27:13.058 [http-bio-8080-exec-5] WARN  o.s.web.servlet.PageNotFound - Request method 'POST' not supported

当我从web.xml评论安全过滤器时,POST工作正常。我尝试将以下行添加到安全xml但没有帮助。

<intercept-url pattern="/rest**" access="permitAll" />

我的web.xml,安全过滤器和评论POST开始工作时的结束。

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
      http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     version="2.5">

<display-name>Counter Web Application</display-name>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<!-- Loads Spring Security config file -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/application-security.xml,
        /WEB-INF/application-database.xml
    </param-value>
</context-param>

 <!--Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我的application-security.xml 

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http security="none" pattern="**/resources/**"/>

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">

    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

    <intercept-url pattern="/rest**" access="permitAll" />

    <!-- access denied page -->
    <access-denied-handler error-page="/access-denied" />

    <form-login
            login-page="/login"
            default-target-url="/admin/dashboard"
            authentication-failure-url="/login?error"
            username-parameter="username"
            password-parameter="password" />
    <logout logout-success-url="/login?logout"  />
    <!-- enable csrf protection -->
    <csrf/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>

    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
                           users-by-username-query="select username,password, enabled from users where username=?"
                           authorities-by-username-query="select username, role from user_roles where username =?" />
    </authentication-provider>

</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

我的休息控制器。我也有其他控制器。我这里只是假日期。为了让事情先发挥作用。

    @RestController
    @RequestMapping("/rest/orders")
    public class OrderRestController {

    @Autowired
    private FoodItemService foodItemService;

    @RequestMapping(value = "", method = RequestMethod.POST)
    public Order addOrder(Order orderDto) {
        return orderDto;
    }

    @RequestMapping(value = "", method = RequestMethod.GET)
    public Order getOrder() {
        FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
        Order orderDto = new Order();
        orderDto.setRoomId(23);
        OrderItem orderItem = new OrderItem();
        orderItem.setFoodItem(foodItem);
        orderItem.setAmount(4);
        List<OrderItem> orderItems = new LinkedList<OrderItem>();
        orderItems.add(orderItem);
        orderDto.setOrderItemList(orderItems);
        return orderDto;
    }

3 个答案:

答案 0 :(得分:1)

问题是csrf已启用。应该进一步研究禁用csrf和安全性,但目前禁用它是解决方案。

答案 1 :(得分:0)

通过查看你的控制器,看起来你有2个没有价值的方法,他们正试图回复URL .... / rest / orders;我是这样写的:

@RestController
@RequestMapping("/rest/orders")
public class OrderRestController {

@Autowired
private FoodItemService foodItemService;

@RequestMapping(value = "addOrder", method = RequestMethod.POST)
public Order addOrder(Order orderDto) {
    return orderDto;
}

@RequestMapping(value = "getOrder", method = RequestMethod.GET)
public Order getOrder() {
    FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
    Order orderDto = new Order();
    orderDto.setRoomId(23);
    OrderItem orderItem = new OrderItem();
    orderItem.setFoodItem(foodItem);
    orderItem.setAmount(4);
    List<OrderItem> orderItems = new LinkedList<OrderItem>();
    orderItems.add(orderItem);
    orderDto.setOrderItemList(orderItems);
    return orderDto;
}

之后,如果我想调用addOrder方法,我会对URL / rest / orders / addOrder进行REST调用(使用POST方法),如果我想调用getOrder方法,我会做一个REST调用URL / rest / orders / getOrder。 Morevoer我将一个参数(例如orderId)传递给getOrder方法,以便我可以加载所选的订单

答案 2 :(得分:0)

你试过这个:

<intercept-url pattern="/rest/**" access="permitAll" />
相关问题
最新问题