Spring Security阻止对GWT服务的访问

Question

我是Spring安全新手，当我将其与GWT配对时遇到问题。即，我对GWT中的服务的呼叫被标记为“ 403禁止”。

POST http://127.0.0.1:8888/grapl/adminService 403 (Forbidden)

这是我的spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:b="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
         xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">


    <!-- This is where we configure Spring-Security  -->
    <security:http auto-config="true" use-expressions="true">

    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:intercept-url pattern="/grapl/auth/**" access="isAuthenticated()"/>
        <security:intercept-url pattern="/grapl/adminService/**" access="isAuthenticated()"/>

    </security:http>

    <b:bean id="graplAuthentication" class="com.lilly.rim.security.GraplAuthentication"/>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="graplAuthentication" />
    </security:authentication-manager>

</b:beans>

Web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
              http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5"
         xmlns="http://java.sun.com/xml/ns/javaee">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring-security.xml, /WEB-INF/applicationContext.xml</param-value>
    </context-param>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>



    <!-- Servlets -->

    <servlet>
        <servlet-name>AdminServiceServlet</servlet-name>
        <servlet-class>com.foo.rim.server.AdminServiceImpl</servlet-class>

    </servlet>

    <servlet>
        <servlet-name>LoaderServiceServlet</servlet-name>
        <servlet-class>com.foo.rim.server.LoaderServiceImpl</servlet-class>
    </servlet>

     <servlet>
        <servlet-name>authServlet</servlet-name>
        <servlet-class>com.foo.rim.server.AuthServiceImpl</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>authServlet</servlet-name>
        <url-pattern>/grapl/auth</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>AdminServiceServlet</servlet-name>
        <url-pattern>/grapl/adminService</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>LoaderServiceServlet</servlet-name>
        <url-pattern>/grapl/loaderService</url-pattern>
    </servlet-mapping>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>



    <welcome-file-list>
        <welcome-file>grapl.html</welcome-file>
    </welcome-file-list>

</web-app>

登录和身份验证正常。我被重定向到我的gwt前端。我的Spring认证后端是一个自定义提供程序。所有配置都在spring-security.xml中完成。

GWT Servlet是否需要Spring注释？我看到的任何示例似乎都应该通过配置起作用。

Answer 1

我需要禁用csrf检查。

<security:http ...

<security:csrf disabled="true" />
</security:http>