Question

我正在构建一个简单的应用程序，我是Spring Security的新手，所以请耐心等待。但无论如何我有一个RESTful应用程序，它需要一些信息并将信息显示在表格中。在实施Spring安全性之前一切正常。但现在我只能登录到应用程序而不使用其余功能。 AJAX最初获取我的表的所有信息，并且工作正常，但当我将数据发布到我的数据库时，它返回403 FORBIDDEN。

这是我的security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
     xmlns:beans="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:security="http://www.springframework.org/schema/security"
     xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans.xsd
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security.xsd">

<http auto-config="true">
    <cors />
    <intercept-url pattern="/**" access="hasRole('ADMIN')" />
    <intercept-url method="POST" pattern="/TAS/students" access="hasRole('ADMIN')" />
    <form-login />
    <logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>


<authentication-manager>
    <authentication-provider user-service-ref="myUserDetailService"/> 
</authentication-manager>   

</beans:beans>

这是我的Spring配置servlet

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:context="http://www.springframework.org/schema/context" 
 xmlns:tx="http://www.springframework.org/schema/tx"
 xmlns:mvc="http://www.springframework.org/schema/mvc"
 xmlns:security="http://www.springframework.org/schema/security"
 xsi:schemaLocation=
 "http://www.springframework.org/schema/mvc 
 http://www.springframework.org/schema/mvc/spring-mvc.xsd
 http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans.xsd
 http://www.springframework.org/schema/context 
 http://www.springframework.org/schema/context/spring-context.xsd
 http://www.springframework.org/schema/tx 
 http://www.springframework.org/schema/tx/spring-tx.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security.xsd">

 <annotation-driven />

<resources mapping="/resources/**" location="/resources/" />


  <beans:bean 
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
   <beans:property name="prefix">
      <beans:value>/WEB-INF/views/jsp/</beans:value>
   </beans:property>
   <beans:property name="suffix">
      <beans:value>.jsp</beans:value>
   </beans:property>
</beans:bean>

<mvc:default-servlet-handler/>

 <beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
  destroy-method="close">
  <beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
  <beans:property name="url"
   value="jdbc:mysql://localhost:3306/tds_mock" />
  <beans:property name="username" value="blahblah" />
  <beans:property name="password" value="blahblah" />
 </beans:bean>

 <!-- Hibernate 4 SessionFactory Bean definition -->
 <beans:bean id="hibernate5AnnotatedSessionFactory"
  class="org.springframework.orm.hibernate5.LocalSessionFactoryBean">
  <beans:property name="dataSource" ref="dataSource" />
  <beans:property name="annotatedClasses">
  <beans:list>
<beans:value>tas.web.student.Student</beans:value>
<beans:value>tas.web.user.User</beans:value>
<beans:value>tas.web.user.UserRole</beans:value>
</beans:list>
  </beans:property>
  <beans:property name="hibernateProperties">
   <beans:props>
    <beans:prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect 
</beans:prop>
    <beans:prop key="hibernate.show_sql">true</beans:prop>
   </beans:props>
  </beans:property>
 </beans:bean>

 <beans:bean id="userDao" class="tas.web.user.UserDAOImp">
    <beans:property name="sessionFactory" 
ref="hibernate5AnnotatedSessionFactory"></beans:property>
 </beans:bean>

 <beans:bean id="myUserDetailService" class="tas.web.user.UserService">
    <beans:property name="userDao" ref="userDao"></beans:property>
 </beans:bean>


  <tx:annotation-driven transaction-manager="transactionManager"/>

 <beans:bean id="transactionManager" 
class="org.springframework.orm.hibernate5.HibernateTransactionManager">
  <beans:property name="sessionFactory" 
ref="hibernate5AnnotatedSessionFactory" />
 </beans:bean>

   <beans:bean id="jsonMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
  </beans:bean> 


   <context:component-scan base-package="tas.web"/>

</beans:beans>

最后这是我的restcontroller

package tas.web.student;

import java.io.IOException;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

import tas.web.student.StudentService;
import net.aksingh.owmjapis.CurrentWeather;
import net.aksingh.owmjapis.OpenWeatherMap;


@RestController
public class StudentController {

 @Autowired
 StudentService studentService;

 @GetMapping(value = "/students")
 public List<Student> getStudents() {

  List<Student> listOfStudents = studentService.getStudents();
  return listOfStudent;
 }

 @GetMapping(value = "/students/{studentID}")
 public Student getStudentById(@PathVariable long studentID) {
  return studentService.getStudent(studentID);
 }

 @PostMapping(value = "/students")
 public Student addStudent(@RequestBody Student student) { 
  return studentService.addStudent(student);
 }

 @PutMapping(value = "/students/{studentID}")
 public Student updateStudent(@PathVariable("studentID") Long studentID, @RequestBody Student student) {
  return studentService.updateStudent(student);
 }

 @DeleteMapping(value = "/students/{studentID}")
 public void deleteStudent(@PathVariable("studentID") long studentID) {
  studentService.deleteStudent(studentID);  
 } 

 @GetMapping(value = "/current/{city}")
 public ResponseEntity currentWeather(@PathVariable("city") String city) throws IOException{
    OpenWeatherMap openWMap = new OpenWeatherMap("APIkey");
    CurrentWeather currentW = openWMap.currentWeatherByCityName(city);      
    return new ResponseEntity(currentW, HttpStatus.OK);
 }
}

我的数据库是MySQL 5.7.3，我正在使用hibernate来访问它。在我实施弹簧安全性之前，一切正常。如果需要任何其他文件，请提前告知我们并提前感谢您！

Answer 1

在你的* .jsp中有一个＆＃39;帖子＆＃39;将表单添加到文件的顶部：

<%@taglib uri="http://www.springframework.org/security/tags" 
  prefix ="security" %>

然后在jsp的head部分添加：

<security:csrfMetaTags />

在表格标签中添加以下内容：

<security:csrfInput/>

您的构建中还必须具有以下依赖项：

       org.springframework.security        弹簧安全标记库

Answer 2

Spring安全只是在做它。

你应该知道什么

针对跨站点请求伪造攻击（CSRF攻击）的Spring安全指南，默认情况下启用此功能。现在您已经实现了spring安全性，您需要在所有表单post和ajax post请求中传递CSRF令牌，以便成功执行这些请求，否则spring security将抛出AccessDeniedException并返回错误403作为响应。

阅读this Spring安全文档，以便更好地了解Spring安全性CSRF功能的有用性以及如何使用它。

Spring Security-允许GET但不允许POST

2 个答案: