我正在运行Spring Boot应用程序,但无法通过HTML表单使用RequestParam。每当我尝试使用POST方法通过表单发送参数时,都会引发Forbidden 403错误。即使我将spring安全设置更改为anyRequest.permitAll,它仍然会抛出403。您知道如何解决此问题吗?
mastermind_home.jsp:
<form action="/mastermind/home" method="POST">
<label>
<input type="radio" name="difficulty" value="easy">
</label>Easy<br>
<label>
<input type="radio" name="difficulty" value="medium" checked>
</label>Medium<br>
<label>
<input type="radio" name="difficulty" value="hard">
</label>Hard<br>
<input type="submit" value="Start game">
</form>`
控制器:
@AllArgsConstructor
@Controller
@RequestMapping("mastermind")
public class MastermindController {
private MastermindServiceImpl mastermindService;
private UserService userService;
@GetMapping("/home")
public String prepareMmHomePage() {
return "mastermind_home";
}
@PostMapping("/home")
public String formRequest( @RequestParam String difficulty) {
return "mastermind_home";
}
春季安全设置:
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private DataSource dataSource;
public SecurityConfiguration(DataSource dataSource) {
this.dataSource = dataSource;
}
@Bean
public PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean
public Authentication authentication() {
return SecurityContextHolder.getContext().getAuthentication();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource)
.passwordEncoder(passwordEncoder())
.usersByUsernameQuery("SELECT user_name, password, true FROM users WHERE user_name = ?")
.authoritiesByUsernameQuery("SELECT user_name, 'ROLE_USER' FROM users WHERE user_name = ?");
}
@Override
public void configure(WebSecurity web) throws Exception {
super.configure(web);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/main_menu","/mastermind/**").authenticated()
.antMatchers("/admin", "/admin/**").hasRole("ADMIN")
.antMatchers("/home", "/register", "/registered_successfully").anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.defaultSuccessUrl("/main_menu")
.and()
.logout()
.logoutSuccessUrl("/home");
}
}
答案 0 :(得分:0)
在spring security config中禁用csrf解决了我的问题。
and()
.csrf().disable();
另一个更好的解决方案:
在Spring Security中,我添加了:
.antMatchers(HttpMethod.POST, "/mastermind/home").authenticated()
并在jsp中形成验证csrf的令牌:
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
答案 1 :(得分:-1)
在Spring安全配置中,您明确要求对以/mastermind开头的URL的所有请求都必须经过身份验证(.antMatchers("/main_menu","/mastermind/**").authenticated())。
如果要为POST /mastermind/home设置例外,则需要将配置更改为如下所示
http.authorizeRequests()
.antMatchers(HttpMethod.POST, "/mastermind/home").permitAll()
.antMatchers("/main_menu","/mastermind/**").authenticated()
....
请注意,这两行的顺序很重要,因为Spring会以相同的顺序匹配请求URL。
答案 2 :(得分:-1)
将此内容添加到spring security中以忽略网址格式
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring()
// All of Spring Security will ignore the requests.
.antMatchers("/mastermind/home");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
..........
}