当我尝试发布到我的 spring api 时 403 被禁止? [英] 403 forbidden when I try to post to my spring api?
问题描述
使用邮递员,我可以通过一个 get 请求获取用户列表:http://localhost:8080/users.
Using postman, I can get a list of users with a get request to: http://localhost:8080/users.
但是当我向同一个地址发送 post 请求时,我收到了 403 错误.
But when I send a post request to the same address, I get a 403 error.
@RestController
public class UserResource {
@Autowired
private UserRepository userRepository;
@GetMapping("/users")
public List<User> retrievaAllUsers() {
return userRepository.findAll();
}
@PostMapping("/users")
public ResponseEntity<Object> createUser(@RequestBody User user) {
User savedUser = userRepository.save(user);
URI location = ServletUriComponentsBuilder.fromCurrentRequest()
.path("/{id}")
.buildAndExpand(savedUser.getId())
.toUri();
return ResponseEntity.created(location).build();
}
}
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
/*@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
}*/
/*@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests()
.antMatchers("/users/**").hasRole("ADMIN")
.and().csrf().disable().headers().frameOptions().disable();
}*/
}
@Entity
@Table(name = "user")
public class User {
@Id
@GeneratedValue
private Long id;
private String name;
private String password;
@Enumerated(EnumType.STRING)
private Role role;
// TODO which cna be removed
public User() {
super();
}
public User(Long id, String name, String password, Role role) {
this.id = id;
this.name = name;
this.password = password;
this.role = role;
}
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public Role getRole() {
return role;
}
public void setRole(Role role) {
this.role = role;
}
}
@Repository
public interface UserRepository extends JpaRepository<User, Long> {
}
INSERT INTO user VALUES (1, 'user1', 'pass1', 'ADMIN');
INSERT INTO user VALUES (2, 'user2', 'pass2', 'USER');
INSERT INTO user VALUES (3,'user3', 'pass3', 'ADMIN')
编辑
编辑 2
添加了删除,但它也给出了403?
added delete, but it also gives a 403?
@DeleteMapping("/users/{id}")
public void deleteUser(@PathVariable long id) {userRepository.deleteById(id);}
public void deleteUser(@PathVariable long id) { userRepository.deleteById(id); }
编辑 4
@EnableWebSecurity
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/users/**").permitAll();
}
}
@Configuration
@EnableAutoConfiguration
@ComponentScan
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
}
推荐答案
@EnableWebSecurity 启用 spring 安全性,默认启用 csrf 支持,您必须禁用它才能以防止 403 错误.
@EnableWebSecurity enables spring security and it by default enables csrf support, you must disable it in order to prevent 403 errors.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
或者在每个请求中发送 csrf 令牌.
Or send csrf token with each request.
注意:禁用 csrf 会降低应用程序的安全性,最好的办法是发送 csrf 令牌.
Note: disabling csrf makes application less secure, best thing to do is send csrf token.
这篇关于当我尝试发布到我的 spring api 时 403 被禁止?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
