在Struts2中使用JSON RPC和Spring Security会导致请求被禁止(403)

时间:2014-01-28 22:33:05

标签: json spring struts2 spring-security json-rpc

我使用以下JavaScript / jQuery函数通过JSON进行远程过程调用。

<s:url var="testJsonUrl" action="testJsonAction"/>
<script src="../js/jquery-1.8.0.min.js" type="text/javascript"></script>

var timeout;
var request;

$(document).ready(function(){
    $("#countryComboBox").change(function(){
        if(!request)
        {
            request = $.ajax({
                datatype:"json",
                type: "POST",
                data: JSON.stringify({jsonrpc:'2.0', method:'getStateTables', id:'jsonrpc', params:[$("#countryComboBox").val()]}),
                contentType: "application/json-rpc; charset=utf-8",
                url: "<s:property value='#testJsonUrl'/>",
                success: function(response)
                {
                    alert(JSON.stringify(response.result));
                },
                complete: function()
                {
                    timeout = request = null;
                },
                error: function(request, status, error)
                {
                    if(status!=="timeout"&&status!=="abort")
                    {
                        alert(status+" : "+error);
                    }
                }
            });
            timeout = setTimeout(function() {
                if(request)
                {
                    request.abort();
                    alert("The request has been timed out.");
                }
            }, 30000);
        }
    });
});

此函数调用动作类中的方法getStateTables(),如下所示。

@Namespace("/admin_side")
@ResultPath("/WEB-INF/content")
@ParentPackage(value = "json-default")
public final class TestAction extends ActionSupport
{
    @Autowired
    private final transient SharableService sharableService = null;
    private static final long serialVersionUID = 1L;
    List<StateTable> stateTables;

    public TestAction() {}

    @SMDMethod
    public List<StateTable> getStateTables(@SMDMethodParameter(name="countryId")Long countryId) {
        stateTables = sharableService.findStatesByCountryId(countryId);
        return stateTables;
    }

    @Action(value = "testJsonAction",
    results = {
        @Result(name = ActionSupport.SUCCESS, type = "json", params = {"enableSMD", "true"})},
    interceptorRefs = {
        @InterceptorRef(value = "json", params = {"enableSMD", "true", "includeProperties", "result\\[\\d+\\]\\.stateId, result\\[\\d+\\]\\.stateName", "excludeNullProperties", "true"})})
    public String executeAction() throws Exception {
        return SUCCESS;
    }

    @Action(value = "Test",
    results = {
        @Result(name = ActionSupport.SUCCESS, location = "Test.jsp"),
        @Result(name = ActionSupport.INPUT, location = "Test.jsp")},
    interceptorRefs = {
        @InterceptorRef(value = "defaultStack", params = {"params.acceptParamNames", "", "params.excludeMethods", "load", "validation.validateAnnotatedMethodOnly", "true"})})
    public String load() throws Exception {
        //This method is just used to return an initial view on page load.
        return ActionSupport.SUCCESS;
    }
}

此方法导致返回与jQuery函数提供的countryId对应的状态列表作为此方法的参数,该参数作为JSON响应委托给jQuery函数。

除非Spring Security出现,否则此工作正常。使用Spring Security时,请求被禁止。

标题信息可以如下查看。

Request URL:http://localhost:8080/TestStruts/admin_side/testJsonAction.action
Request Method:POST
Status Code:403 Forbidden
Request Headers
    Accept:*/*
    Accept-Encoding:gzip,deflate,sdch
    Accept-Language:en-US,en;q=0.8
    Cache-Control:max-age=0
    Connection:keep-alive
    Content-Length:73
    Content-Type:application/json-rpc; charset=UTF-8
    Cookie:JSESSIONID=0C4D7DFD269F1D5F7315A39971A75961; sbOverlayID=42887237
    Host:localhost:8080
    Origin:http://localhost:8080
    Referer:http://localhost:8080/TestStruts/admin_side/Test.action
    User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36
    X-Requested-With:XMLHttpRequest
Request Payload
    {jsonrpc:2.0, method:getStateTables, id:jsonrpc, params:[2]}
    id: "jsonrpc"
    jsonrpc: "2.0"
    method: "getStateTables"
    params: [2]
Response Headers
    Content-Length:1149
    Content-Type:text/html;charset=utf-8
    Date:Tue, 28 Jan 2014 22:12:55 GMT
    Server:Apache-Coyote/1.1
    X-Content-Type-Options:nosniff
    X-Frame-Options:DENY
    X-XSS-Protection:1; mode=block

我的Spring Security配置与this问题中提到的完全相同。

在哪里查看Spring Security?

1 个答案:

答案 0 :(得分:0)

找到了一些东西。这是因为我正在使用CSRF令牌(在spring-security.xml文件中配置为<csrf/>),这需要与AJAX请求一起发送。当我使用jQuery函数和<meta>标记时,它是有效的here

  

如果您使用JSON,则无法提交CSRF令牌   在HTTP参数中。相反,您可以在一个内部提交令牌   HTTP标头。典型的模式是包含CSRF令牌   在您的元标记内。 JSP的示例如下所示:

<html>
  <head>
    <meta name="_csrf" content="${_csrf.token}"/>
    <!-- default header name is X-CSRF-TOKEN -->
    <meta name="_csrf_header" content="${_csrf.headerName}"/>
    <!-- ... -->
  </head>
  <!-- ... -->
     

然后,您可以在所有Ajax请求中包含令牌。如果你   使用jQuery,可以通过以下方式完成:

$(function () {
  var token = $("meta[name='_csrf']").attr("content");
  var header = $("meta[name='_csrf_header']").attr("content");
  $(document).ajaxSend(function(e, xhr, options) {
    xhr.setRequestHeader(header, token);
  });
});