Spring Security Blocking 公共休息服务 [英] Spring Security Blocking public rest service
问题描述
我对 Spring Security 和我的公共 Rest 服务有一个小问题(只有我使用 POST)
I have a little problem with Spring Security and my public Rest service (only I use POST)
我的 RestController 是:
My RestController is :
@RestController
@RequestMapping(value="/public/rest/status")
Public class DoSomeThing {
@RequestMapping(method=RequestMethod.GET)
public String getStatus(){
return "OK";
}
@RequestMapping(method=RequestMethod.POST)
public String setON(){
return "Done";
}
}
我的 Spring Security 是:
and my Spring Security is :
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private LogoutHandler logoutHandler;
@Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private AccessDeniedHandler accessDeniedHandler;
@Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.antMatchers("/error/**").permitAll()
.and()
.authorizeRequests()
.antMatchers("/adm/**").hasAnyRole(Role.ROOT,Role.ADM)
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler)
.defaultSuccessUrl("/home",true)
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/login")
.permitAll()
.addLogoutHandler(logoutHandler)
.and()
.exceptionHandling()
.accessDeniedHandler(accessDeniedHandler);
}
}
当我尝试通过 GET 访问我的 Rest 服务时,一切正常:
When I try to access my Rest service by GET its all fine :
$curl -i -X GET localhost:8080/public/rest/status
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;charset=UTF-8
Content-Length: 2
Date: Sun, 10 Jan 2016 05:23:10 GMT
但是当我尝试使用 POST 时,剩下的就是拒绝
But when I try using POST the rest is deny
$curl -i -X POST localhost:8080/public/rest/status
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=57387564970B157C03310B6DAFE8E82B; Path=/; HttpOnly
Location: /error/denied
Content-Length: 0
Date: Sun, 10 Jan 2016 05:23:26 GMT
如何为我的 REST 服务(POST 和 GET)授予所有访问权限?
How can I grant access to all for my REST service (POST and GET)?
推荐答案
默认情况下,当您使用 Java Config 来实现 Spring 安全性时,CSRF
保护是 ON
.您应该为 POST
请求提供一个 CSRF
令牌,或者通过添加以下配置来禁用它:
By default CSRF
protection is ON
when you're using Java Config for spring security. You should either provide a CSRF
token for POST
requests or disable it by adding this piece of configuration:
http
...
.and()
.csrf().disable();
这篇关于Spring Security Blocking 公共休息服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!