我使用Spring构建REST服务并使用Spring Security。 loginform的默认解决方案并不适合我。这是我的WebSecurityConfig:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
class PostAuthSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
httpServletResponse.setStatus(200);
}
}
class PostAuthFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
httpServletResponse.setStatus(403);
e.printStackTrace(new PrintWriter(httpServletResponse.getOutputStream()));
}
}
@Autowired
private MySQLUserDetailsManager mySQLUserDetailsManager;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login", "/registration", "/checkUser", "/").permitAll()
.anyRequest().authenticated()
.and().formLogin()
.loginProcessingUrl("/login")
.successHandler(new PostAuthSuccessHandler())
.failureHandler(new PostAuthFailureHandler())
.permitAll()
.and().logout()
.permitAll()
.and().exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/scripts/**");
web.ignoring().antMatchers("/styles/**");
web.ignoring().antMatchers("/jquery-validate/**");
web.ignoring().antMatchers("/bootstrap-3.3.6/**");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(mySQLUserDetailsManager);
}
}
但是/ login请求始终是403禁止的。我理解,有些东西会将我重定向到/错误。 UPD:所有网页都在响应403 Forbidden,even" /"," / checkuser"。
答案 0 :(得分:0)
我忘记了,在标准格式中,隐藏输入中有一个csrf键。所以:
http
.csrf().disable()