Question

我一直在尝试将我的项目更新到Spring Security 4.0.0。我想我已经非常广泛地阅读了migration guide，但即使我可以成功登录并浏览页面，我在每个 Ajax请求上都会遇到403错误。 3.2.7一切正常。

这是我的＆＃34;手动登录＆＃34;配置文件：

<b:beans xmlns:b="http://www.springframework.org/schema/beans"
    xmlns="http://www.springframework.org/schema/security"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

    <!-- HTTP security configurations -->
    <http use-expressions="true" auto-config='true' disable-url-rewriting="false">
        <intercept-url access="permitAll" pattern="/" /><!-- To permit "/" allows the use of web.xml's <welcome-file> -->
        <intercept-url access="permitAll" pattern="/home" />
        <intercept-url access="permitAll" pattern="/login" />
        <intercept-url access="permitAll" pattern="/pages/exceptions/**" />
        <intercept-url access="permitAll" pattern="/javax.faces.resource/**" />
        <intercept-url access="permitAll" pattern="/resources/**" />
        <intercept-url access="permitAll" pattern="/j_spring_security_check"/>
        <intercept-url access="hasRole('ROLE_ADMIN')" pattern="/administration/**" />
        <intercept-url access="isAuthenticated()" pattern="/**" />
        <logout logout-url="/logout" logout-success-url='/home' />
        <form-login login-page='/login'
            username-parameter="j_username"
            password-parameter="j_password"
            login-processing-url="/j_spring_security_check"
            authentication-failure-url="/login?auth=fail"
            default-target-url="/home"  />
    </http>

    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="${authentication.provider}" />
    </authentication-manager>

    <b:bean name="bcryptEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <b:bean id="daoAuthProvider"
        class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <b:property name="userDetailsService">
            <b:bean class="eu.ueb.acem.services.auth.DaoUserDetailsService">
                <b:property name="domainService" ref="domainService" />
            </b:bean>
        </b:property>
        <b:property name="passwordEncoder" ref="bcryptEncoder" />
    </b:bean>

</b:beans>

我尝试使用：

<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
    <headers disabled="true" />
    <csrf disabled="true"/>
    ...
</http>

但我明白了：

cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'headers'
cvc-complex-type.3.2.2: Attribute 'disabled' is not allowed to appear in element 'csrf'

这是正常的，因为4.0.0在以下位置没有专用的XML Schema：

http://www.springframework.org/schema/security/

那么什么可能导致这些＆＃34; 403被禁止＆＃34;错误？

Answer 1

好的，我找到了解决方案。确实要使用：

<http use-expressions="true" auto-config='true' disable-url-rewriting="false">
    <csrf disabled="true"/>
    ...
</http>

但目前，我们必须忽略Eclipse中的XML Schema错误。希望Spring能尽快将他们的新Schema放在网上。

升级到Spring Security 4.0.0后出现403错误

1 个答案: