Spring安全过滤器阻止restful api调用

Question

我有一个使用 Spring 4 的 Web 应用程序。我在这里使用 Spring 安全性。同时我需要打开一个没有安全性的restful api。问题是，在启用安全过滤器之前，我的其余 POST 调用会收到 405 方法不允许响应(GET 仍然有效)。同时服务器日志显示

.11:27:13.058 [http-bio-8080-exec-5] WARN  o.s.web.servlet.PageNotFound - Request method 'POST' not supported

当我评论 web.xml POST 中的安全过滤器时，它工作正常。我尝试将以下行添加到安全 xml 但没有帮助。

<intercept-url pattern="/rest**" access="permitAll" />

我的 web.xml ，安全过滤器是在评论 POST 时开始工作的结尾。

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
      http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     version="2.5">

<display-name>Counter Web Application</display-name>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<!-- Loads Spring Security config file -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/application-security.xml,
        /WEB-INF/application-database.xml
    </param-value>
</context-param>

 <!--Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我的应用程序安全.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http security="none" pattern="**/resources/**"/>

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">

    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

    <intercept-url pattern="/rest**" access="permitAll" />

    <!-- access denied page -->
    <access-denied-handler error-page="/access-denied" />

    <form-login
            login-page="/login"
            default-target-url="/admin/dashboard"
            authentication-failure-url="/login?error"
            username-parameter="username"
            password-parameter="password" />
    <logout logout-success-url="/login?logout"  />
    <!-- enable csrf protection -->
    <csrf/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>

    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
                           users-by-username-query="select username,password, enabled from users where username=?"
                           authorities-by-username-query="select username, role from user_roles where username =?" />
    </authentication-provider>

</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

我的休息 Controller 。我还有其他 Controller 。我在这里只是虚拟约会。首先要让事情正常运转。

    @RestController
    @RequestMapping("/rest/orders")
    public class OrderRestController {

    @Autowired
    private FoodItemService foodItemService;

    @RequestMapping(value = "", method = RequestMethod.POST)
    public Order addOrder(Order orderDto) {
        return orderDto;
    }

    @RequestMapping(value = "", method = RequestMethod.GET)
    public Order getOrder() {
        FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
        Order orderDto = new Order();
        orderDto.setRoomId(23);
        OrderItem orderItem = new OrderItem();
        orderItem.setFoodItem(foodItem);
        orderItem.setAmount(4);
        List<OrderItem> orderItems = new LinkedList<OrderItem>();
        orderItems.add(orderItem);
        orderDto.setOrderItemList(orderItems);
        return orderDto;
    }

Answer 1

问题是启用了 csrf。应该进一步研究禁用 csrf 和安全性，但目前禁用它是解决方案。