Spring Security-所有JQuery Ajax发布请求都返回404 [英] Spring Security - All JQuery Ajax post requests return 404

问题描述

我的所有$.ajax，POST和GET都工作正常，但是，一旦我将Spring security 3.2.6集成到我的项目中，POST ajax请求就停止工作，而没有登录任何问题.

All my $.ajax, both POST and GET were working fine, but as soon as I integrated Spring security 3.2.6 into my project the POST ajax requests stopped working without loggin any issues.

<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns="http://www.springframework.org/schema/security"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <!--Permit all Web resources to bypass proxy-->
    <http pattern="/js/**" security="none"/>
    <http pattern="/css/**" security="none"/>
    <http pattern="/fonts/**" security="none"/>
    <http pattern="/images/**" security="none"/>

    <http auto-config="true" use-expressions="true" >

        <intercept-url pattern="/login" access="isAnonymous()"/>

        <intercept-url pattern="/workflow**" access="hasRole('ROLE_WORKFLOW_ADMIN')"/>
        <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WORKFLOW_ADMIN','ROLE_DMS_ADMIN')"/>

        <access-denied-handler error-page="/403"/>

        <form-login
                login-page="/login"
                default-target-url="/dashboard"
                authentication-failure-url="/login?error"
                username-parameter="username"
                password-parameter="password"/>

        <logout invalidate-session="true" logout-success-url="/login?logout"/>

        <csrf/>
    </http>

    <!-- Select users and user_roles from database -->
    <authentication-manager>
        <authentication-provider ref="daoAuthenticationProvider"/>
    </authentication-manager>

    <beans:bean id="daoAuthenticationProvider"
                class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="userDetailsService" ref="authService"/>
    </beans:bean>


</beans:beans>

Web.xml

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
          http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5">

    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <servlet>
        <servlet-name>mvc-dispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>mvc-dispatcher</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/mvc-dispatcher-servlet.xml
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <error-page>
        <exception-type>java.lang.Throwable</exception-type>
        <location>/error</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/error</location>
    </error-page>

</web-app>

编辑

我要访问的URL是

http://localhost:8080/ADMIN/workflow/sample-ajax

春季安全性可以解决吗?

Could it be something to with spring security ?

推荐答案

最后，经过三天的苦苦挣扎，我发现了问题所在，但男孩还是很愚蠢.

Finally after three agonizing days, I found the problem and boy was it stupid.

问题是我在Spring Security中启用了csrf保护.这导致禁止发布请求，触发了access-denied-handler错误页面，因为我没有将我的access-denied-handler映射到"/403"错误页面，如下所示，我的http 403/401被

The problem was that I have enabled csrf protection in spring security. And that was causing my post requests to be forbidden which triggers the access-denied-handler error page, since I have not mapped my access-denied-handlerto the "/403" error page as shown below, my http 403/401 was being masked by the http 404

<access-denied-handler error-page="/403"/>

简而言之

1. 将您的access-denied-handler错误页面映射到有效的网址
2. 如果您使用csrf保护，请务必确保在ajax发布请求中将它们传递为此类

1. Map your access-denied-handler error page to a valid url
2. If you use csrf protection, then always make sure that you pass them in the ajax post request as such

$.ajax({method:'POST'，url:'/ajax'，data: {"$ {_ csrf.parameterName}":"$ {_ csrf.token}"}});

$.ajax({method :'POST', url : '/ajax',data : {"${_csrf.parameterName}" : "${_csrf.token}"}});

这篇关于Spring Security-所有JQuery Ajax发布请求都返回404的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！