我有一个控制器来上传用户已经工作了很长一段时间的化身。直到最近,我改变了我的弹簧安全配置。更改是未经授权调用API的返回403禁止和未经授权的调用重定向到登录的任何其他内容。自从进行此更改后,每次调用上传头像时,应用程序都会抛出403。每个其他API都按预期工作。
以下是我认为与手头问题相关的片段:
控制器:
@Controller
@RequestMapping("/api/users")
public class UsersController {
@RequestMapping(value = "/upload_avatar", params = { "filename" }, method = RequestMethod.POST)
public @ResponseBody ResponseStatusDTO handleFileUpload(
@RequestParam("file") MultipartFile file,
@RequestParam(value = "filename") String filename) {
if (!file.isEmpty()) {
try {
String newFilename = userUtil.uploadAvatar(file, filename);
return new ResponseStatusDTO(1, newFilename);
} catch (Exception e) {
return new ResponseStatusDTO(1, "Failed to upload " + filename
+ "!");
}
} else {
return new ResponseStatusDTO(1, "Failed to upload " + filename
+ " because the file was empty.");
}
}
}
Ajax呼叫执行请求:
uploadAvatar : function(){
var file = this.getSelectedFile();
var data = new FormData();
data.append('file', file);
var name = file.name;
$.ajax({
url: './api/users/upload_avatar?filename='+ name,
data: data,
cache: false,
contentType: false,
processData: false,
type: 'POST',
success: _.bind(function(data){
this.avatar = data.message;
}, this),
error: _.bind(function(data){
//TODO
}, this)
});
}
最新的Spring安全配置:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Autowired
private CommonAuthenticationProvider authProvider;
@Autowired
AuthFailureHandler authFailureHandler;
@Autowired
AuthSuccessHandler authSuccessHandler;
@Autowired
public void globalUserDetails(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(authProvider);
}
@Configuration
@Order(1)
public static class ApiLoginWebSecurityConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
private Http403ForbiddenEntryPoint forbiddenEntryPoint;
@Bean
public Http403ForbiddenEntryPoint forbiddenEntryPoint() {
return new Http403ForbiddenEntryPoint();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.antMatcher("/api/**")
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.httpBasic()
.authenticationEntryPoint(forbiddenEntryPoint);
// @formatter:on
}
}
@Configuration
public static class FormLoginWebSecurityConfigurationAdapter extends
WebSecurityConfigurerAdapter {
@Autowired
AuthFailureHandler authFailureHandler;
@Autowired
AuthSuccessHandler authSuccessHandler;
@Autowired
private LoginUrlAuthenticationEntryPoint loginEntryPoint;
@Bean
public LoginUrlAuthenticationEntryPoint loginEntryPoint() {
return new LoginUrlAuthenticationEntryPoint("/login");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/css/**", "/js/**", "/webjars/**",
"/login/**", "/session/**", "/public/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/j_spring_security_check")
.usernameParameter("username")
.passwordParameter("password")
.failureHandler(authFailureHandler)
.successHandler(authSuccessHandler)
.permitAll()
.and()
.logout()
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login")
.invalidateHttpSession(true)
// .deleteCookies(cookieNamesToClear)
.and()
.httpBasic().authenticationEntryPoint(loginEntryPoint)
.and()
.csrf().disable();
// @formatter:on
}
}
}
答案 0 :(得分:0)
几个小时后终于找到了问题。在新的api安全配置中,我没有禁用csrf并且没有发送令牌。一旦我禁用了csrf,它就按预期工作了。
setTimeout