我正在构建一个简单的应用程序,并且我是 Spring Security 的新手,所以请耐心等待。但无论如何,我有一个 RESTful 应用程序,它获取一些信息并将信息显示到表格中。在实现 Spring Security 之前,一切工作正常。但现在我只能登录该应用程序而无法使用其余功能。 AJAX 最初获取我的表的所有信息,并且工作正常,但是当我将数据发布到数据库时,它返回 403 FORBIDDEN。
这是我的 security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<cors />
<intercept-url pattern="/**" access="hasRole('ADMIN')" />
<intercept-url method="POST" pattern="/TAS/students" access="hasRole('ADMIN')" />
<form-login />
<logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailService"/>
</authentication-manager>
</beans:beans>
这是我的 Spring 配置 servlet
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation=
"http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<annotation-driven />
<resources mapping="/resources/**" location="/resources/" />
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix">
<beans:value>/WEB-INF/views/jsp/</beans:value>
</beans:property>
<beans:property name="suffix">
<beans:value>.jsp</beans:value>
</beans:property>
</beans:bean>
<mvc:default-servlet-handler/>
<beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close">
<beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
<beans:property name="url"
value="jdbc:mysql://localhost:3306/tds_mock" />
<beans:property name="username" value="blahblah" />
<beans:property name="password" value="blahblah" />
</beans:bean>
<!-- Hibernate 4 SessionFactory Bean definition -->
<beans:bean id="hibernate5AnnotatedSessionFactory"
class="org.springframework.orm.hibernate5.LocalSessionFactoryBean">
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="annotatedClasses">
<beans:list>
<beans:value>tas.web.student.Student</beans:value>
<beans:value>tas.web.user.User</beans:value>
<beans:value>tas.web.user.UserRole</beans:value>
</beans:list>
</beans:property>
<beans:property name="hibernateProperties">
<beans:props>
<beans:prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect
</beans:prop>
<beans:prop key="hibernate.show_sql">true</beans:prop>
</beans:props>
</beans:property>
</beans:bean>
<beans:bean id="userDao" class="tas.web.user.UserDAOImp">
<beans:property name="sessionFactory"
ref="hibernate5AnnotatedSessionFactory"></beans:property>
</beans:bean>
<beans:bean id="myUserDetailService" class="tas.web.user.UserService">
<beans:property name="userDao" ref="userDao"></beans:property>
</beans:bean>
<tx:annotation-driven transaction-manager="transactionManager"/>
<beans:bean id="transactionManager"
class="org.springframework.orm.hibernate5.HibernateTransactionManager">
<beans:property name="sessionFactory"
ref="hibernate5AnnotatedSessionFactory" />
</beans:bean>
<beans:bean id="jsonMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
</beans:bean>
<context:component-scan base-package="tas.web"/>
</beans:beans>
最后这是我的休息 Controller
package tas.web.student;
import java.io.IOException;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;
import tas.web.student.StudentService;
import net.aksingh.owmjapis.CurrentWeather;
import net.aksingh.owmjapis.OpenWeatherMap;
@RestController
public class StudentController {
@Autowired
StudentService studentService;
@GetMapping(value = "/students")
public List<Student> getStudents() {
List<Student> listOfStudents = studentService.getStudents();
return listOfStudent;
}
@GetMapping(value = "/students/{studentID}")
public Student getStudentById(@PathVariable long studentID) {
return studentService.getStudent(studentID);
}
@PostMapping(value = "/students")
public Student addStudent(@RequestBody Student student) {
return studentService.addStudent(student);
}
@PutMapping(value = "/students/{studentID}")
public Student updateStudent(@PathVariable("studentID") Long studentID, @RequestBody Student student) {
return studentService.updateStudent(student);
}
@DeleteMapping(value = "/students/{studentID}")
public void deleteStudent(@PathVariable("studentID") long studentID) {
studentService.deleteStudent(studentID);
}
@GetMapping(value = "/current/{city}")
public ResponseEntity currentWeather(@PathVariable("city") String city) throws IOException{
OpenWeatherMap openWMap = new OpenWeatherMap("APIkey");
CurrentWeather currentW = openWMap.currentWeatherByCityName(city);
return new ResponseEntity(currentW, HttpStatus.OK);
}
}
我的数据库是MySQL 5.7.3,我使用hibernate来访问它。一切工作正常,直到我实现了 Spring Security。如果需要任何其他文件,请告诉我并提前谢谢您!
最佳答案
在包含“post”表单的 *.jsp 中,将此标记库添加到文件顶部:
<%@taglib uri="http://www.springframework.org/security/tags"
prefix ="security" %>
然后在jsp的head部分添加:
<security:csrfMetaTags />
并在表单标签中添加以下内容:
<security:csrfInput/>
您的构建中还必须具有以下依赖项:
org.springframework.security spring-security-taglibs
关于java - Spring Security-允许 GET 但不允许 POST,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/45621396/