即使禁用csrf,Spring Security 403禁止的错误也会继续发生

时间:2020-06-20 03:39:19

标签: java spring-boot spring-security csrf http-status-code-403

我一直在关注https://programmingtechie.com/2019/11/08/build-a-full-stack-reddit-clone-with-spring-boot-and-angular-part-3/上的教程。

由于某种原因,即使禁用了csrf,/auth/api/login REST-API仍会抛出403禁止错误(访问被拒绝)。

    @Override
    public void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.cors().and()
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/api/auth/**")
                .permitAll()
                .anyRequest()
                .authenticated();

        httpSecurity.addFilterBefore(jwtAuthenticationFilter,
                UsernamePasswordAuthenticationFilter.class);
    }

这是在SecurityConfig类上,扩展了WebSecurityConfigurerAdapter

下面是AuthController

@RestController
@RequestMapping("/api/auth")
@AllArgsConstructor
public class AuthController {

    private final AuthService authService;
    private final RefreshTokenService refreshTokenService;

    @PostMapping("/signup")
    public ResponseEntity<String> signup (@RequestBody RegisterRequest registerRequest) {
        authService.signup(registerRequest);
        return new ResponseEntity<>("User Registration Successful", HttpStatus.OK);
    }

    @PostMapping("/login")
    public AuthenticationResponse login(@RequestBody LoginRequest loginRequest) {
        return authService.login(loginRequest);
    }

    @GetMapping("accountVerification/{token}")
    public ResponseEntity<String> verifyAccount(@PathVariable String token) {
        authService.verifyAccount(token);
        return new ResponseEntity<>("Account Activated Successfully", OK);
    }

当我尝试请求http://localhost:8080/api/auth/signup时,它工作正常,但http://localhost:8080/api/auth/login仍然返回403禁止的错误。

要清楚,下面是JwtAuthenticationFilter类。

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain filterChain) throws ServletException, IOException {
        String jwt = getJwtFromRequest(request);

        if (StringUtils.hasText(jwt) && jwtProvider.validateToken(jwt)){
            String username = jwtProvider.getUsernameFromJwt(jwt);

            UserDetails userDetails = userDetailsService.loadUserByUsername(username);
            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(userDetails,
                    null, userDetails.getAuthorities());

            authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));

            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }

    private String getJwtFromRequest(HttpServletRequest request){
        String bearerToken = request.getHeader("Authorization");

        if(StringUtils.hasText(bearerToken) && bearerToken.startsWith("Bearer ")){
            return bearerToken.substring(7);
        }

        return bearerToken;
    }

有人可以指出错误,还是我需要做更多的配置?

2 个答案:

答案 0 :(得分:0)

修复:从HttpSecurity配置中删除cors()。

在学习本教程时,我遇到了同样的问题。坦率地说,即使我是新来的春季靴子。正在尝试不同的方法来解决此问题,而这对我来说是很重要的。我不确定为什么这可以解决问题。需要深入研究这一点。但我希望这可以帮助您在本教程中继续前进。

答案 1 :(得分:0)

我遇到了同样的问题,但就我而言,我在 LoginRequest 类中拼错了我的属性

public class LoginRequest{
  private String username;
  private String passsword; // i put 3's'
}

这是我从邮递员那里收到的请求正文

{
  "username":"name"
  "password":"123" // i put 2 's'
}

我对此也很陌生..但了解回复实际上会对您有很大帮助, 我希望它可以帮助面临同样问题的其他人..

相关问题
最新问题