java - Spring Security-允许 GET 但不允许 POST

Question

我正在构建一个简单的应用程序，并且我是 Spring Security 的新手，所以请耐心等待。但无论如何，我有一个 RESTful 应用程序，它获取一些信息并将信息显示到表格中。在实现 Spring Security 之前，一切工作正常。但现在我只能登录该应用程序而无法使用其余功能。 AJAX 最初获取我的表的所有信息，并且工作正常，但是当我将数据发布到数据库时，它返回 403 FORBIDDEN。

这是我的 security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
     xmlns:beans="http://www.springframework.org/schema/beans"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:security="http://www.springframework.org/schema/security"
     xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans.xsd
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security.xsd">

<http auto-config="true">
    <cors />
    <intercept-url pattern="/**" access="hasRole('ADMIN')" />
    <intercept-url method="POST" pattern="/TAS/students" access="hasRole('ADMIN')" />
    <form-login />
    <logout invalidate-session="true" delete-cookies="JSESSIONID"/>
</http>


<authentication-manager>
    <authentication-provider user-service-ref="myUserDetailService"/> 
</authentication-manager>   

</beans:beans>

这是我的 Spring 配置 servlet

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:beans="http://www.springframework.org/schema/beans"
 xmlns:context="http://www.springframework.org/schema/context" 
 xmlns:tx="http://www.springframework.org/schema/tx"
 xmlns:mvc="http://www.springframework.org/schema/mvc"
 xmlns:security="http://www.springframework.org/schema/security"
 xsi:schemaLocation=
 "http://www.springframework.org/schema/mvc 
 http://www.springframework.org/schema/mvc/spring-mvc.xsd
 http://www.springframework.org/schema/beans 
 http://www.springframework.org/schema/beans/spring-beans.xsd
 http://www.springframework.org/schema/context 
 http://www.springframework.org/schema/context/spring-context.xsd
 http://www.springframework.org/schema/tx 
 http://www.springframework.org/schema/tx/spring-tx.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security.xsd">

 <annotation-driven />

<resources mapping="/resources/**" location="/resources/" />


  <beans:bean 
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
   <beans:property name="prefix">
      <beans:value>/WEB-INF/views/jsp/</beans:value>
   </beans:property>
   <beans:property name="suffix">
      <beans:value>.jsp</beans:value>
   </beans:property>
</beans:bean>

<mvc:default-servlet-handler/>

 <beans:bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"
  destroy-method="close">
  <beans:property name="driverClassName" value="com.mysql.jdbc.Driver" />
  <beans:property name="url"
   value="jdbc:mysql://localhost:3306/tds_mock" />
  <beans:property name="username" value="blahblah" />
  <beans:property name="password" value="blahblah" />
 </beans:bean>

 <!-- Hibernate 4 SessionFactory Bean definition -->
 <beans:bean id="hibernate5AnnotatedSessionFactory"
  class="org.springframework.orm.hibernate5.LocalSessionFactoryBean">
  <beans:property name="dataSource" ref="dataSource" />
  <beans:property name="annotatedClasses">
  <beans:list>
<beans:value>tas.web.student.Student</beans:value>
<beans:value>tas.web.user.User</beans:value>
<beans:value>tas.web.user.UserRole</beans:value>
</beans:list>
  </beans:property>
  <beans:property name="hibernateProperties">
   <beans:props>
    <beans:prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect 
</beans:prop>
    <beans:prop key="hibernate.show_sql">true</beans:prop>
   </beans:props>
  </beans:property>
 </beans:bean>

 <beans:bean id="userDao" class="tas.web.user.UserDAOImp">
    <beans:property name="sessionFactory" 
ref="hibernate5AnnotatedSessionFactory"></beans:property>
 </beans:bean>

 <beans:bean id="myUserDetailService" class="tas.web.user.UserService">
    <beans:property name="userDao" ref="userDao"></beans:property>
 </beans:bean>


  <tx:annotation-driven transaction-manager="transactionManager"/>

 <beans:bean id="transactionManager" 
class="org.springframework.orm.hibernate5.HibernateTransactionManager">
  <beans:property name="sessionFactory" 
ref="hibernate5AnnotatedSessionFactory" />
 </beans:bean>

   <beans:bean id="jsonMessageConverter" class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter">
  </beans:bean> 


   <context:component-scan base-package="tas.web"/>

</beans:beans>

最后这是我的休息 Controller

package tas.web.student;

import java.io.IOException;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RestController;

import tas.web.student.StudentService;
import net.aksingh.owmjapis.CurrentWeather;
import net.aksingh.owmjapis.OpenWeatherMap;


@RestController
public class StudentController {

 @Autowired
 StudentService studentService;

 @GetMapping(value = "/students")
 public List<Student> getStudents() {

  List<Student> listOfStudents = studentService.getStudents();
  return listOfStudent;
 }

 @GetMapping(value = "/students/{studentID}")
 public Student getStudentById(@PathVariable long studentID) {
  return studentService.getStudent(studentID);
 }

 @PostMapping(value = "/students")
 public Student addStudent(@RequestBody Student student) { 
  return studentService.addStudent(student);
 }

 @PutMapping(value = "/students/{studentID}")
 public Student updateStudent(@PathVariable("studentID") Long studentID, @RequestBody Student student) {
  return studentService.updateStudent(student);
 }

 @DeleteMapping(value = "/students/{studentID}")
 public void deleteStudent(@PathVariable("studentID") long studentID) {
  studentService.deleteStudent(studentID);  
 } 

 @GetMapping(value = "/current/{city}")
 public ResponseEntity currentWeather(@PathVariable("city") String city) throws IOException{
    OpenWeatherMap openWMap = new OpenWeatherMap("APIkey");
    CurrentWeather currentW = openWMap.currentWeatherByCityName(city);      
    return new ResponseEntity(currentW, HttpStatus.OK);
 }
}

我的数据库是MySQL 5.7.3，我使用hibernate来访问它。一切工作正常，直到我实现了 Spring Security。如果需要任何其他文件，请告诉我并提前谢谢您!

Answer 1

在包含“post”表单的 *.jsp 中，将此标记库添加到文件顶部:

<%@taglib uri="http://www.springframework.org/security/tags" 
  prefix ="security" %>

然后在jsp的head部分添加:

<security:csrfMetaTags />

并在表单标签中添加以下内容:

<security:csrfInput/>

您的构建中还必须具有以下依赖项:

org.springframework.security spring-security-taglibs