spring boot starter安全发布​​方法不起作用

Question

我已将弹簧'spring-boot-starter-security'添加到现有的弹簧启动项目中;之后，弹簧控制器中的post方法无法正常工作，它会显示如下错误：

o.s.web.servlet.PageNotFound             : Request method 'POST' not supported


Remote Address:127.0.0.1:8080
Request URL:http://localhost:8080/authenticate
Request Method:POST
Status Code:405 Method Not Allowed
Response Headers
view source
Allow:GET, HEAD
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Type:application/json;charset=UTF-8
Date:Wed, 14 Oct 2015 05:41:06 GMT
Expires:0
Pragma:no-cache
Server:Apache-Coyote/1.1
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:47
Content-Type:application/json;charset=UTF-8
Cookie:_ga=GA1.1.630164096.1442901791; JSESSIONID=B9F1946DAE5BCA7772526CFC735616EC
Host:localhost:8080
Origin:http://localhost:8080
Referer:http://localhost:8080/
User-Agent:Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
X-ZUMO-APPLICATION:GSECUHNQOOrCwgRHFFYLXWiViGnXNV88
Request Payload

我的控制器方法是：

@RequestMapping(value="/authenticate",method = {RequestMethod.POST})
public  LinkedHashMap<String,Object> authenticate(@RequestBody UserCredentials user){


    LinkedHashMap<String, Object> res =new LinkedHashMap<String, Object>();
    //business logic 
    return res;
}

pom文件：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.dfasfa</groupId>
    <artifactId>AdminDashboard</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <packaging>war</packaging>
    <name>AdminDashboard</name>


    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>1.2.4.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>      
        <java.version>1.7</java.version>
    </properties>

    <dependencies>
            <dependency>
            <groupId>javax.validation</groupId>
            <artifactId>validation-api</artifactId>
            <version>1.1.0.Final</version>
        </dependency>
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-validator</artifactId>
            <version>5.0.3.Final</version>
        </dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-tomcat</artifactId>
    <!--<scope>provided</scope>-->
</dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>



        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
            <version>5.1.21</version>
        </dependency>
        <dependency>
            <groupId>org.apache.tomcat.embed</groupId>
            <artifactId>tomcat-embed-jasper</artifactId>
            <!--<scope>provided</scope>-->
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>jstl</artifactId>
            <!--<scope>provided</scope>-->
        </dependency>
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-jpamodelgen</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-integration</artifactId>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>


@Configuration
@ComponentScan
@EnableWebMvcSecurity

public class WebSecurityConfig extends  WebSecurityConfigurerAdapter {

 @Autowired
 private UserDetailsService userDetailsService;

 @Autowired
 public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
     auth.userDetailsService(userDetailsService).passwordEncoder(passwordencoder());
 }

 @Override
 protected void configure(HttpSecurity http) throws Exception {
   http.authorizeRequests()
           .antMatchers("/addService").permitAll()
           .antMatchers("/app/*").permitAll()
           .antMatchers("/lib/*").permitAll()
           .antMatchers("/css/*").permitAll()
           .antMatchers("/styles/*").permitAll()
           .antMatchers("/login").permitAll()
           .antMatchers("/getAllUsers").permitAll()
           .anyRequest().permitAll()  // for testing 
  .and()
//    .formLogin().loginPage("/login")
           .formLogin()
    .usernameParameter("username").passwordParameter("password")
  .and()
    .logout().logoutSuccessUrl("/login?logout")
   .and()
   .exceptionHandling().accessDeniedPage("/#/login")
  .and()
    .csrf();
 }

 @Bean(name="passwordEncoder")
    public PasswordEncoder passwordencoder(){
     return new BCryptPasswordEncoder();
    }





}


import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationContext;

@SpringBootApplication
public class Application  {


    public static void main(String[] args) {
        ApplicationContext ctx = SpringApplication.run(Application.class, args);
        System.out.println("Let's inspect the beans provided by Spring Boot:");             

    }

}

如果我删除所有这些安全相关的东西，代码工作得很好。我的配置有什么问题吗？ 。安全登录表单和所有其他功能都很好用。但是post方法不起作用。

Answer 1

.csrf().disable()解决了问题

Answer 2

不是禁用安全功能，而是搜索如何正确实现它。 http://www.baeldung.com/spring-security-csrf

简而言之，您需要为所有POST表单添加隐藏属性。

<input type="hidden" th:attr="name=${_csrf.parameterName},value=${_csrf.token}"/>

Answer 3

您能否提供有关UserCredentials对象的信息？我也无法在请求中看到它。

您尝试做什么而是使用 @AuthenticationPrincipal 注释提醒我您可以实现的目标，而不是使用 @RequestBody 发布内容。这将意味着其他一些机制。

无论如何，有两件事：

1. 你想从这个控制器返回什么？身份验证方法中是否缺少 @ResponseBody ？你能尝试添加吗？
2. 以防万一：您是否可以尝试强制执行您的请求中发送的控制器所消耗的内容类型（消费 @RequestMapping 注释的属性）（已经在您的请求中发送）提到申请/ json）

Answer 4

作为sudeep cv mentioned，您可以为应用程序禁用CSRF

作为user16115 mentioned，最好不要禁用重要的安全机制。

CSRF保护是否重要取决于您的应用程序。 Spring Boot有一个recommendation，用于指示您何时应该包括它：

何时应使用CSRF保护？我们的建议是使用CSRF 保护浏览器可以处理的任何请求， 普通用户。如果仅创建供以下人员使用的服务 非浏览器客户端，您可能需要禁用CSRF保护。

Answer 5

之所以发生此错误，是因为当您将Spring安全性添加到类路径或pom.xml文件中时，默认情况下csrf被启用，并且您只能点击get方法，但是要点击put，post，patch，并删除其余端点，您有2个选项：

A）禁用csrf

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .authorizeRequests().antMatchers("/","/saveUser/**","/css/").permitAll()
            .anyRequest().authenticated()
            .and()
            .formLogin();
}

B）从邮递员客户端访问时包含csrf令牌

Please Refer this Image