Spring Security-所有JQuery Ajax发布请求都返回404 [英] Spring Security - All JQuery Ajax post requests return 404
问题描述
我的所有$.ajax
,POST
和GET
都工作正常,但是,一旦我将Spring security 3.2.6
集成到我的项目中,POST
ajax请求就停止工作,而没有登录任何问题.
All my $.ajax
, both POST
and GET
were working fine, but as soon as I integrated Spring security 3.2.6
into my project the POST
ajax requests stopped working without loggin any issues.
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!--Permit all Web resources to bypass proxy-->
<http pattern="/js/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/fonts/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http auto-config="true" use-expressions="true" >
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/workflow**" access="hasRole('ROLE_WORKFLOW_ADMIN')"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WORKFLOW_ADMIN','ROLE_DMS_ADMIN')"/>
<access-denied-handler error-page="/403"/>
<form-login
login-page="/login"
default-target-url="/dashboard"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<logout invalidate-session="true" logout-success-url="/login?logout"/>
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider ref="daoAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="authService"/>
</beans:bean>
</beans:beans>
Web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error</location>
</error-page>
</web-app>
编辑
我要访问的URL是
春季安全性可以解决吗?
Could it be something to with spring security ?
推荐答案
最后,经过三天的苦苦挣扎,我发现了问题所在,但男孩还是很愚蠢.
Finally after three agonizing days, I found the problem and boy was it stupid.
问题是我在Spring Security中启用了csrf
保护.这导致禁止发布请求,触发了access-denied-handler
错误页面,因为我没有将我的access-denied-handler
映射到"/403"
错误页面,如下所示,我的http 403/401
被
The problem was that I have enabled csrf
protection in spring security. And that was causing my post requests to be forbidden which triggers the access-denied-handler
error page, since I have not mapped my access-denied-handler
to the "/403"
error page as shown below, my http 403/401
was being masked by the http 404
<access-denied-handler error-page="/403"/>
简而言之
- 将您的
access-denied-handler
错误页面映射到有效的网址 - 如果您使用csrf保护,请务必确保在ajax发布请求中将它们传递为此类
- Map your
access-denied-handler
error page to a valid url - If you use csrf protection, then always make sure that you pass them in the ajax post request as such
$.ajax({method:'POST',url:'/ajax',data: {"$ {_ csrf.parameterName}":"$ {_ csrf.token}"}});
$.ajax({method :'POST', url : '/ajax',data : {"${_csrf.parameterName}" : "${_csrf.token}"}});
这篇关于Spring Security-所有JQuery Ajax发布请求都返回404的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!