我已将弹簧'spring-boot-starter-security'添加到现有的弹簧启动项目中;之后,弹簧控制器中的post方法无法正常工作,它会显示如下错误:
o.s.web.servlet.PageNotFound : Request method 'POST' not supported
Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/authenticate
Request Method:POST
Status Code:405 Method Not Allowed
Response Headers
view source
Allow:GET, HEAD
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Type:application/json;charset=UTF-8
Date:Wed, 14 Oct 2015 05:41:06 GMT
Expires:0
Pragma:no-cache
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:47
Content-Type:application/json;charset=UTF-8
Cookie:_ga=GA1.1.630164096.1442901791; JSESSIONID=B9F1946DAE5BCA7772526CFC735616EC
Host:localhost:8080
Origin:http://localhost:8080
Referer:http://localhost:8080/
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
X-ZUMO-APPLICATION:GSECUHNQOOrCwgRHFFYLXWiViGnXNV88
Request Payload
我的控制器方法是:
@RequestMapping(value="/authenticate",method = {RequestMethod.POST})
public LinkedHashMap<String,Object> authenticate(@RequestBody UserCredentials user){
LinkedHashMap<String, Object> res =new LinkedHashMap<String, Object>();
//business logic
return res;
}
pom文件:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.dfasfa</groupId>
<artifactId>AdminDashboard</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>AdminDashboard</name>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.2.4.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.7</java.version>
</properties>
<dependencies>
<dependency>
<groupId>javax.validation</groupId>
<artifactId>validation-api</artifactId>
<version>1.1.0.Final</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.0.3.Final</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.21</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-jpamodelgen</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-integration</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
@Configuration
@ComponentScan
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordencoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/addService").permitAll()
.antMatchers("/app/*").permitAll()
.antMatchers("/lib/*").permitAll()
.antMatchers("/css/*").permitAll()
.antMatchers("/styles/*").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/getAllUsers").permitAll()
.anyRequest().permitAll() // for testing
.and()
// .formLogin().loginPage("/login")
.formLogin()
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/#/login")
.and()
.csrf();
}
@Bean(name="passwordEncoder")
public PasswordEncoder passwordencoder(){
return new BCryptPasswordEncoder();
}
}
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationContext;
@SpringBootApplication
public class Application {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(Application.class, args);
System.out.println("Let's inspect the beans provided by Spring Boot:");
}
}
如果我删除所有这些安全相关的东西,代码工作得很好。我的配置有什么问题吗? 。安全登录表单和所有其他功能都很好用。但是post方法不起作用。
答案 0 :(得分:5)
.csrf().disable()
解决了问题
答案 1 :(得分:1)
不是禁用安全功能,而是搜索如何正确实现它。 http://www.baeldung.com/spring-security-csrf
简而言之,您需要为所有POST表单添加隐藏属性。
<input type="hidden" th:attr="name=${_csrf.parameterName},value=${_csrf.token}"/>
答案 2 :(得分:0)
您能否提供有关UserCredentials对象的信息?我也无法在请求中看到它。
您尝试做什么而是使用 @AuthenticationPrincipal 注释提醒我您可以实现的目标,而不是使用 @RequestBody 发布内容。这将意味着其他一些机制。
无论如何,有两件事:
答案 3 :(得分:0)
作为sudeep cv mentioned,您可以为应用程序禁用CSRF
作为user16115 mentioned,最好不要禁用重要的安全机制。
CSRF保护是否重要取决于您的应用程序。 Spring Boot有一个recommendation,用于指示您何时应该包括它:
何时应使用CSRF保护?我们的建议是使用CSRF 保护浏览器可以处理的任何请求, 普通用户。如果仅创建供以下人员使用的服务 非浏览器客户端,您可能需要禁用CSRF保护。
答案 4 :(得分:0)
之所以发生此错误,是因为当您将Spring安全性添加到类路径或pom.xml
文件中时,默认情况下csrf
被启用,并且您只能点击get方法,但是要点击put,post,patch,并删除其余端点,您有2个选项:
A)禁用csrf
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests().antMatchers("/","/saveUser/**","/css/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin();
}
B)从邮递员客户端访问时包含csrf
令牌