我正在使用spring-boot,rest api和angularjs创建一个Web应用程序,但是当我尝试发送$ http.put请求时,我得到403禁止错误。在分类上我发现Spring引导需要一个CSRF令牌,因此我试图将我的Jsp页面中的CSRF参数发送到angularjs控制器而在angularjs中我试图用csrf-token创建一个头并试图把它发送到我的弹簧控制器,我得到了相同的错误。如果我在spring security中禁用CSRF属性,我就可以毫无问题地执行程序。我是新手,所以任何人都可以帮我解决这个错误。
问题出现在viewProduct.jsp中,我试图调用addToCart($ product.productId)angularjs函数。它会抛出403 Forbidden错误
cart.jsp
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<%@include file="/WEB-INF/views/template/header.jsp"%>
<div class="container-wrapper">
<div class="container">
<section>
<div class="jumbotron">
<div class="container">
<h1>Cart</h1>
<p>All the selected products in your shopping cart</p>
</div>
</div>
</section>
<section class="container" ng-app="cartApp">
<div ng-controller="cartCtrl" ng-init="initCartId(${cartId})">
<div class="btn btn-danger pull-left"><span class="glyphicon glyphicon-remove-sign"></span>
</div>
<table class="table table-hover">
<thead>
<tr>
<th>Product</th>
<th>Unit Price</th>
<th>Quantity</th>
<th>Price</th>
<th>Action</th>
</tr>
</thead>
<tr ng-repeat="item in cart.cartItems">
<td>{{item.product.productName}}</td>
<td>{{item.product.productPrice}}</td>
<td>{{item.quantity}}</td>
<td>{{item.totalPrice}}</td>
<td><a href="#" class="label label-danger" ng-click="removeCart(item.product.productId)">
<span class="glyphicon glyphicon-remove"></span>remove </a></td>
</tr>
<tr>
<th></th>
<th></th>
<th>Grand Total</th>
<th>{{cart.grandTotal}}</th>
<th></th>
</tr>
</table>
<a href="<spring:url value="/productList"/>" class="btn btn-default">Continue Shopping</a>
</div>
</section>
</div>
</div>
<script src="<c:url value="/resources/js/controller.js"/>"></script>
<%@include file="/WEB-INF/views/template/footer.jsp"%>
viewProduct.jsp
<%@taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<%@include file="/WEB-INF/views/template/header.jsp"%>
<div class="container-wrapper">
<div class="container">
<div class="page-header">
<h1>Product Detail</h1>
<p class="lead" >Detailed Product Information</p>
</div>
<div class="container" ng-app="cartApp">
<div class="row">
<div class="col-lg-5">
<img src="<c:url value="/resources/images/${product.productId}.png"/>" alt="image" style="width: 100%;height: 300px"/>
</div>
<div class="col-lg-5">
<h3>${product.productName}</h3>
<p>${product.productDescription}</p>
<p><strong>Manufacturer </strong>${product.productManufacturer}</p>
<p><strong>Category </strong>${product.productCategory}</p>
<p><strong>Condition </strong>${product.productCondition}</p>
<h5><Strong>Price </Strong>${product.productPrice} USD</h5>
<br>
<c:set var="role" scope="page" value="${param.role}"/>
<c:set var="url" scope="page" value="/productList"/>
<c:if test="${role='admin'}">
<c:set var="url" scope="page" value="/admin/productInventory"></c:set>
</c:if>
<p ng-controller="cartCtrl">
<a href="<c:url value="${url}"/>" class="btn btn-default">Back</a>
<a class="btn btn-warning btn-large" ng-click="addToCart(${product.productId})">
<span class="glyphicon glyphicon-shopping-cart">Order Now</span>
</a>
<a href="<c:url value="/cart"/>" class="btn btn-default"><span class="glyphicon glyphicon-hand-right"></span> View Cart</a>
</p>
</div>
</div>
</div>
<script src="<c:url value="/resources/js/controller.js"/>"></script>
<%@include file="/WEB-INF/views/template/footer.jsp"%>
contoller.js
/**
* Created by Dilipan on 6/26/2016.
*/
var cartApp =angular.module("cartApp",[]);
cartApp.config(function ($httpProvider){
$httpProvider.defaults.headers.post['X-CSRFToken'] = $('input[name=csrfmiddlewaretoken]').val();
})
cartApp.controller("cartCtrl",function ($scope,$http) {
$scope.refreshCart=function (cartId) {
$http.get("/eMusicStore/rest/cart/"+$scope.cartId).success(function (data) {
$scope.cart=data;
});
};
$scope.clearCart=function () {
$http.delete("/eMusicStore/rest/cart/"+$scope.cartId).success($scope.refreshCart(cartId));
};
$scope.initCartId=function (cartId) {
$scope.cartId=cartId;
$scope.refreshCart(cartId);
};
$scope.addToCart=function (productId,header,token) {
alert(token);
$http.put("/eMusicStore/rest/cart/add/"+productId,{csrf_token: token} ).success(function (data) {
$scope.refreshCart($http.get("/eMusicStore/rest/cart/cartId"));
alert("Product successfully added to the cart");
})
.error(function(data,status,header,config){
alert(data);
})
};
$scope.removeCart=function(productId){
$http.put("/eMusicStore/rest/cart/remove/"+productId).success(function(data){
$scope.refreshCart($http.get("/eMusicStore/rest/cart/cartId"));
});
};
});
的security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"></property>
<property name="url" value="jdbc:mysql://localhost:3306/my_db"></property>
<property name="username" value="root"></property>
<property name="password" value="Quackie14"></property>
</bean>
<bean id="sessionFactory" class="org.springframework.orm.hibernate5.LocalSessionFactoryBean">
<property name="dataSource" ref="dataSource"></property>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
<prop key="hibernate.hbm2ddl.auto">update</prop>
<prop key="hibernate.show_sql">true</prop>
<prop key="hibernate.format_sql">true</prop>
</props>
</property>
<property name="packagesToScan" >
<list>
<value>com.eMusicStore</value>
</list>
</property>
</bean>
<bean id="transactionManager" class="org.springframework.orm.hibernate5.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory"></property>
</bean>
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
<property name="maxUploadSize" value="1024000"></property>
</bean>
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/admin/**" access="hasRole('ROLE_USER')" />
<security:form-login
login-page="/login"
default-target-url="/admin/"
authentication-failure-url="/login?error"
login-processing-url="/j_spring_security_check"
username-parameter="username"
password-parameter="password"
/>
<security:logout
logout-success-url="/login?logout"
invalidate-session="true"
logout-url="/j_spring_security_logout"
/>
</security:http>
<security:authentication-manager>
<security:authentication-provider >
<security:jdbc-user-service data-source-ref="dataSource"
authorities-by-username-query="select username,authority from authorities where username=?"
users-by-username-query="SELECT username,password,enabled from users where username=?"/>
</security:authentication-provider>
</security:authentication-manager>
</beans>
cart-controller.java
package com.eMusicStore.controller;
import com.eMusicStore.dao.CartDao;
import com.eMusicStore.dao.ProductDao;
import com.eMusicStore.model.Cart;
import com.eMusicStore.model.CartItem;
import com.eMusicStore.model.Product;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
/**
* Created by Dilipan on 6/26/2016.
*/
@Controller
@RequestMapping("/rest/cart")
public class CartController {
@Autowired
private CartDao cartDao;
@Autowired
private ProductDao productDao;
@RequestMapping(value="/{cartId}",method = RequestMethod.GET)
public @ResponseBody
Cart read(@PathVariable (value="cartId") String cartId)
{
return cartDao.readCart(cartId);
}
@RequestMapping(value="/{cartId}",method=RequestMethod.PUT)
@ResponseStatus(value = HttpStatus.NO_CONTENT)
public void updateCart(@PathVariable (value = "cartId")String cartId,@RequestBody Cart cart){
cartDao.updateCart(cartId,cart);
}
@RequestMapping(value="/{cartId}",method=RequestMethod.DELETE)
@ResponseStatus(value=HttpStatus.NO_CONTENT)
public void deleteCart(@PathVariable(value="cartId")String cartId){
cartDao.deleteCart(cartId);
}
@RequestMapping(value="/add/{productId}",method = RequestMethod.PUT)
@ResponseStatus(value=HttpStatus.NO_CONTENT)
public void addItems(@PathVariable(value="productId") int productId, HttpServletRequest request, @RequestHeader (value="csrf_token") CsrfToken _csrf){
String cartId= request.getSession().getId();
System.out.println(cartId);
Cart cart=cartDao.readCart(cartId);
if(cart==null){
cart=cartDao.createCart(new Cart(cartId));
}
Product product=productDao.getProductById(productId);
if(product==null){
throw new IllegalArgumentException("Product Not available");
}
cart.addCartItems(new CartItem(product));
cartDao.updateCart(cartId,cart);
}
@RequestMapping(value="/remove/{productId}",method = RequestMethod.DELETE)
@ResponseStatus(value=HttpStatus.NO_CONTENT)
public void removeItems(@PathVariable(value="productId")int productID,HttpServletRequest request)
{
String cartId=request.getSession().getId();
Cart cart= cartDao.readCart(cartId);
if(cart==null){
cart=cartDao.createCart(new Cart(cartId));
}
Product product=productDao.getProductById(productID);
if(product==null){
throw new IllegalArgumentException("Product Not available");
}
cart.removeCartItem(new CartItem(product));
cartDao.updateCart(cartId,cart);
}
@ExceptionHandler(IllegalArgumentException.class)
@ResponseStatus(value = HttpStatus.BAD_REQUEST, reason = "Illegal Request please verify your payload")
public void handlerClientError(Exception e){}
@ExceptionHandler(Exception.class)
@ResponseStatus(value=HttpStatus.INTERNAL_SERVER_ERROR,reason = "Internal Server Error")
public void handlerServerError(Exception e){}
}