下午好,
尝试将某些数据发送到部署在tomcat上的服务器时出错。我认为这是一个Spring安全问题。
在服务器上,这是我的安全设置:
try {
http.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/mainMenu/admin/*").access("hasRole('" + ENUM_USER_ROLES.ADMIN.getValue() +"')")
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
.antMatchers(HttpMethod.GET,"/api/mobile/**").authenticated()
.antMatchers(HttpMethod.POST,"/api/mobile/**").authenticated()
// .antMatchers(HttpMethod.POST, "/api/mobile/**").access("hasRole('COMPANY_MOBILE')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
http.httpBasic();
} catch(Exception e) {
logger.error(e.getMessage());
}
在控制器中,我有两种方法:
@RequestMapping(value = "/api/mobile/test/1", method=RequestMethod.GET, produces={"application/json"})
public @ResponseBody String populateActivePSwapBasketGET() {
return "HELLO get";
}
@RequestMapping(value = "/api/mobile/test/2", method=RequestMethod.POST, produces={"application/json"})
public @ResponseBody String populateActivePSwapBasketPOST() {
return "HELLO post";
}
从我的Android角度来看,我正在成功调用第一个GET方法,但POST方法正在抛出
org.springframework.web.client.HttpClientErrorException:403 Forbidden
在Android手机上,以下是我在服务器上调用Get和Post方法的两种方法。第二个给了我例外:
HttpAuthentication authHeader = new HttpBasicAuthentication(userName, password);
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
final Gson gson = new Gson();
// Create the request body as a MultiValueMap
MultiValueMap<String, String> body = new LinkedMultiValueMap<String, String>();
HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);
RestTemplate restTemplate = new RestTemplate(true);
try {
ResponseEntity<String> out1 = restTemplate.exchange(
AndroidPhoneProperties.REST_API + "/api/mobile/test/1",
HttpMethod.GET,
requestEntity,
String.class);
ResponseEntity<String> out2 = restTemplate.exchange(
AndroidPhoneProperties.REST_API + "/api/mobile/test/2",
HttpMethod.POST,
requestEntity,
String.class);
String asd = "";
} catch (HttpClientErrorException e) {
CustomAppLogging.e(this.getClass().getName(), CLASSNAME + " HttpClientErrorException " + e.getMessage());
}
这是服务器的gradle文件:
dependencies {
compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework:spring-jdbc:4.1.0.RELEASE")
compile("org.springframework.boot:spring-boot-starter-data-jpa")
compile("mysql:mysql-connector-java:5.1.+")
compile("org.webjars:bootstrap:3.0.3")
compile("org.webjars:jquery:2.0.3-1")
compile("org.springframework.security.oauth:spring-security-oauth2:2.0.7.RELEASE")
compile("org.thymeleaf:thymeleaf-spring4")
compile("nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect")
compile("org.springframework.boot:spring-boot-starter-web")
compile("com.google.code.gson:gson:2.2.4")
providedRuntime("org.springframework.boot:spring-boot-starter-tomcat")
testCompile("junit:junit")
}
这是我的android项目的Gradle文件:
dependencies {
compile fileTree(include: ['*.jar'], dir: 'libs')
compile 'com.android.support:appcompat-v7:22.2.0'
compile 'com.squareup.retrofit:retrofit:2.0.0-beta1'
compile 'com.squareup.retrofit:converter-gson:2.0.0-beta1'
compile 'com.squareup.retrofit:adapter-rxjava:2.0.0-beta1'
compile 'com.google.code.gson:gson:2.3'
compile 'org.springframework.android:spring-android-rest-template:2.0.0.M1'
compile 'com.android.support:design:22.2.0'
compile 'com.android.support:support-v4:22.1.1'
compile 'de.hdodenhof:circleimageview:1.3.0'
}
当我测试这个时,我正在从命令行运行它,如下所示:
java -Xdebug -Xrunjdwp:server = y,transport = dt_socket,address = 8000,suspend = n -jar build / libs / xxx-0.1.0.jar
在哪里可以看到Spring安全性中的日志,它可以告诉我有关POST被拒绝的原因的更多信息?如果我切换到在我的tomcat服务器上部署它,我会获得更好的日志吗?
如果您想了解更多信息,请询问。
感谢您的帮助。
答案 0 :(得分:0)
禁用CSRF。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.csrf().disable();
}
答案发布在这里: