“状态":403，“错误":“禁止"，“消息":“禁止"，“路径":“/post/create" [英] "status": 403, "error": "Forbidden", "message": "Forbidden", "path": "/post/create"

问题描述

我在管理员授权后尝试添加新帖子时看到此响应.

我有基于 Spring Boot 安全性的基本授权:

@Configuration@启用网络安全公共类 SecurityConfiguration 扩展了 WebSecurityConfigurerAdapter {//...声明的字段@自动连线public void configureGlobal(AuthenticationManagerBuilder auth) 抛出异常 {授权.inMemoryAuthentication().passwordEncoder(passwordEncoder()).withUser("用户").password("用户密码").roles("用户").and().withUser("admin").password("adminpass").roles("管理员", "用户");}@覆盖protected void configure(HttpSecurity http) 抛出异常 {http.authorizeRequests().antMatchers("/login").permitAll().antMatchers("/logout").permitAll().anyRequest().authenticated().and().httpBasic().and().logout().permitAll().and().formLogin().loginProcessingUrl("/登录").permitAll().and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/登录");}@豆public PasswordEncoder passwordEncoder() {返回新的 BCryptPasswordEncoder();}}

我在授权后尝试添加新帖子时收到此消息:

<代码>{"时间戳": "2018-07-04T12:19:25.638+0000",状态":403，"错误": "禁止","message": "禁止",路径":/发布/创建"}

在我的控制器中:

@RestController公共类 PostController {@自动连线私人 PostDAO postDAO；@GetMapping("/posts")公共页面<帖子>getAllPosts(Pageable pageable) {返回 postDAO.findAll(pageable);}@PostMapping("/post/create")public Post createPost(@Valid @RequestBody Post post) {返回 postDAO.save(post);}//其他端点......}

但是，从我的控制器读取操作运行良好，但我无法访问 CRUD 操作.

有我的依赖:

依赖项{编译 ('org.springframework.boot:spring-boot-starter-web')编译('org.springframework.boot:spring-boot-starter-data-jpa')compile('org.hibernate:hibernate-core')编译('org.springframework.boot:spring-boot-starter-security')运行时('mysql:mysql-connector-java')testCompile('org.springframework.boot:spring-boot-starter-test')testCompile('org.springframework.security:spring-security-test')testCompile('junit:junit')}

有什么想法吗?提前致谢！

解决方案

这是由于启用了 CSRF.CSRF 保护在 Java 配置中默认启用.我们仍然可以使用下面给出的配置禁用 CSRF.

http .csrf().disable() .authorizeRequests() .anyRequest().permitAll();

从 Spring Security 4.x 开始 - CSRF 保护也在 XML 配置中默认启用；如果需要，我们当然仍然可以禁用它:

...<csrf disabled="true"/></http>

<块引用>

注意:CSRF 是一种攻击，它迫使最终用户执行不需要的当前已通过身份验证的 Web 应用程序中的操作.

I see this response when I try to add new post after authorization by admin.

I have Basic authorization which based on spring boot security:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    //...declared fields
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .passwordEncoder(passwordEncoder())
                .withUser("user")
                .password("userpass")
                .roles("USER")
                .and()
                .withUser("admin")
                .password("adminpass")
                .roles("ADMIN", "USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/logout").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and().logout().permitAll()
                .and()
                .formLogin()
                .loginProcessingUrl("/login")
                .permitAll()
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/login");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

I get this message when try to add new post after authorization:

{
    "timestamp": "2018-07-04T12:19:25.638+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/post/create"
}

in my controller:

@RestController
public class PostController {
    @Autowired
    private PostDAO postDAO;

    @GetMapping("/posts")
    public Page<Post> getAllPosts(Pageable pageable) {
        return postDAO.findAll(pageable);
    }

    @PostMapping("/post/create")
    public Post createPost(@Valid @RequestBody Post post) {
        return postDAO.save(post);
    }
    //other end-points........
}

However, read operations from my controller work well but to CRUD operation I haven't access.

There are my dependencies:

dependencies {
    compile ('org.springframework.boot:spring-boot-starter-web')
    compile('org.springframework.boot:spring-boot-starter-data-jpa')
    compile('org.hibernate:hibernate-core')
    compile('org.springframework.boot:spring-boot-starter-security')
    runtime('mysql:mysql-connector-java')
    testCompile('org.springframework.boot:spring-boot-starter-test')
    testCompile('org.springframework.security:spring-security-test')
    testCompile('junit:junit')
}

Any idea? Thanks in advance!

解决方案

This is due to CSRF enabled. CSRF protection is enabled by default in the Java configuration. We can still disable CSRF using the configuration given below.

http .csrf().disable() .authorizeRequests() .anyRequest().permitAll(); 

Starting from Spring Security 4.x – the CSRF protection is enabled by default in the XML configuration as well; we can of course still disable it if we need to:

<http>
    ...
    <csrf disabled="true"/>
</http>

Note : CSRF is an attack which forces an end user to execute unwanted actions in a web application in which is currently authenticated.

这篇关于“状态":403，“错误":“禁止"，“消息":“禁止"，“路径":“/post/create"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！