Spring Resttemplate登录失败

时间:2015-06-22 13:29:30

标签: java spring spring-mvc spring-security csrf

更新到spring-4.1.6之后我再也无法登录我的休息服务了。

我看了不同的一面,但无法解决问题...所以我求助。

这是我的web.xml:

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app 
   xmlns="http://java.sun.com/xml/ns/javaee" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" 
   version="2.5"> 

   <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/root-context.xml, /WEB-INF/spring/spring-security.xml</param-value>
    </context-param>

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Processes application requests -->
    <servlet>
        <servlet-name>appServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>appServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
    <!-- Security Stuff -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

</web-app>

我的spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
      http://www.springframework.org/schema/security
      http://www.springframework.org/schema/security/spring-security-4.0.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">

    <http entry-point-ref="restAuthenticationEntryPoint">
        <intercept-url pattern="/rest/**" access="ROLE_USER" />

        <form-login authentication-success-handler-ref="mySuccessHandler"
            authentication-failure-handler-ref="myFailureHandler" />
        <logout />
        <csrf disabled="false"/>
    </http>

    <beans:bean id="restAuthenticationEntryPoint" class="com.test.webservice.security.RestAuthenticationEntryPoint" />

    <beans:bean id="mySuccessHandler"
        class="com.test.webservice.security.RestAuthenticationSuccessHandler" />
    <beans:bean id="myFailureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" />

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="temporary" password="temporary" authorities="ROLE_ADMIN" />
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

以下是我尝试调用登录信息的片段:

MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("j_username", username);
form.add("j_password", password);
return restTemplate.postForLocation(serverUri + "j_spring_security_check", form);

这是控制器:

@RestController
public class JustAServiceController {

    private static final Logger LOG = LoggerFactory.getLogger(JustAServiceController.class);

    @Autowired
    private JustAService justAService;

    @RequestMapping(value = RestURIConstants.JUSTASERVICE_EXCEPTION, method = RequestMethod.GET)
    public @ResponseBody MyFirstClassDTO throwException() throws DummyException{
        throw new DummyException("fasdfasdf", 1);
    }

这是我收到的例外情况:

org.springframework.web.client.HttpClientErrorException: 403 Expected CSRF token not found. Has your session expired?
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
    at com.test.webservice.client.TestResponseErrorHandler.handleError(TestResponseErrorHandler.java:21)
    at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:614)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:570)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
    at org.springframework.web.client.RestTemplate.postForLocation(RestTemplate.java:305)
    at com.test.webservice.client.AbstractServiceWrapper.login(AbstractServiceWrapper.java:49)
    at com.testexample.webService.JustAServiceControllerTest.initWrapper(JustAServiceControllerTest.java:32)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:84)
    at org.testng.internal.Invoker.invokeConfigurationMethod(Invoker.java:564)
    at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:213)
    at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:138)
    at org.testng.internal.TestMethodWorker.invokeBeforeClassMethods(TestMethodWorker.java:175)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:107)
    at org.testng.TestRunner.privateRun(TestRunner.java:767)
    at org.testng.TestRunner.run(TestRunner.java:617)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
    at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
    at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
    at org.testng.SuiteRunner.run(SuiteRunner.java:240)
    at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
    at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
    at org.testng.TestNG.runSuitesSequentially(TestNG.java:1224)
    at org.testng.TestNG.runSuitesLocally(TestNG.java:1149)
    at org.testng.TestNG.run(TestNG.java:1057)
    at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
    at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:204)
    at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:175)

如果我禁用CSRF,那么我会得到这个例外:

org.springframework.web.client.HttpClientErrorException: 404 Not Found
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
    at com.mleitner.lara.webservice.client.LaraResponseErrorHandler.handleError(LaraResponseErrorHandler.java:21)
    at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:614)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:570)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
    at org.springframework.web.client.RestTemplate.postForLocation(RestTemplate.java:305)
    at com.mleitner.lara.webservice.client.AbstractServiceWrapper.login(AbstractServiceWrapper.java:49)
    at com.mleitner.laraexample.webService.JustAServiceControllerTest.initWrapper(JustAServiceControllerTest.java:32)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at org.testng.internal.MethodInvocationHelper.invokeMethod(MethodInvocationHelper.java:84)
    at org.testng.internal.Invoker.invokeConfigurationMethod(Invoker.java:564)
    at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:213)
    at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:138)
    at org.testng.internal.TestMethodWorker.invokeBeforeClassMethods(TestMethodWorker.java:175)
    at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:107)
    at org.testng.TestRunner.privateRun(TestRunner.java:767)
    at org.testng.TestRunner.run(TestRunner.java:617)
    at org.testng.SuiteRunner.runTest(SuiteRunner.java:334)
    at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:329)
    at org.testng.SuiteRunner.privateRun(SuiteRunner.java:291)
    at org.testng.SuiteRunner.run(SuiteRunner.java:240)
    at org.testng.SuiteRunnerWorker.runSuite(SuiteRunnerWorker.java:52)
    at org.testng.SuiteRunnerWorker.run(SuiteRunnerWorker.java:86)
    at org.testng.TestNG.runSuitesSequentially(TestNG.java:1224)
    at org.testng.TestNG.runSuitesLocally(TestNG.java:1149)
    at org.testng.TestNG.run(TestNG.java:1057)
    at org.testng.remote.RemoteTestNG.run(RemoteTestNG.java:111)
    at org.testng.remote.RemoteTestNG.initAndRun(RemoteTestNG.java:204)
    at org.testng.remote.RemoteTestNG.main(RemoteTestNG.java:175)

我确定这个来源已经有效...但是我在6个多月前完成了最后一次远程测试...所以我不确定spring lib更新是唯一相关的更改。在此先感谢您的帮助。

KR

1 个答案:

答案 0 :(得分:1)

您似乎已将Spring Security升级到4.x(由xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd证明)。不幸的是,Spring Security 4.x不是3.x的直接替代品。您需要查看Official Migration Guide以了解需要调整的配置元素。但是,从你的帖子中脱颖而出的一些是:

  1. CSRF保护is enabled by default。如果您没有在HTML表单中注入CSRF令牌,则需要将其关闭。
  2. 默认登录网址has changed from j_spring_security_check to login。由于您的客户端代码发布到j_spring_security_check,因此默认情况下该网址不存在会遇到404错误。您必须将其更改为login
  3. 登录表单用户名参数has changed from j_username to username。您必须为此更改客户端代码。
  4. 同样,登录表单密码参数has changed from j_password to password。您必须为此更改客户端代码。
相关问题
最新问题