Spring Security Config 可能有啥问题?获取与 POST
Posted
技术标签:
【中文标题】Spring Security Config 可能有啥问题?获取与 POST【英文标题】:What might be wrong with Spring Security Config? Get vs POSTSpring Security Config 可能有什么问题?获取与 POST 【发布时间】:2020-04-12 23:54:52 【问题描述】:我有一个 Rest Controller 和两个端点。虽然我可以对 GET 端点进行基本身份验证,但我不能对 POST 端点执行相同的操作。
请参阅下面的 GET 和 POST 的 curl 执行,由于某种原因 POST 端点返回 401。
可能是什么原因?有任何想法吗?正如您可以在底部检查安全配置,我没有 GET/POST 的特殊情况。
试试看:
curl -v -u user:password -X GET http://localhost:8080/api/clusters/
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'user'
> GET /api/clusters/ HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Fri, 20 Dec 2019 12:50:44 GMT
<
* Connection #0 to host localhost left intact
["id":1,"name":"Alfa","securityProtocol":"PLAINTEXT","sslTruststorePassword":null,"sslKeystorePassword":null,"sslKeyPassword":null,"trustStore":null,"keyStore":null,"saslMechanism":"","saslJaasConfig":"","clientId":"Ali","requestTimeoutMs":30000,"version":0,"properties":[],"bootstrapServers":"kafka1:9093"]* Closing connection 0
尝试后:
kaan$ curl -v -u user:password -X POST http://localhost:8080/api/clusters/ -d "name":"Beta"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'user'
> POST /api/clusters/ HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 11
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 11 out of 11 bytes
< HTTP/1.1 401
< Set-Cookie: JSESSIONID=022342C09075AC29AC703547FD5A0E45; Path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Realm"
< Content-Length: 0
< Date: Fri, 20 Dec 2019 12:51:38 GMT
<
* Connection #0 to host localhost left intact
* Closing connection 0
我的安全配置如下:
@Override
protected void configure(HttpSecurity http) throws Exception
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/img/**", "/vendor/**", "/login").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout()
.permitAll();
【问题讨论】:
【参考方案1】:这解决了问题:
.csrf().disable()
【讨论】:
以上是关于Spring Security Config 可能有啥问题?获取与 POST的主要内容,如果未能解决你的问题,请参考以下文章
在 JSF、Spring、Spring-Security 项目中是不是需要 faces-config.xml? [复制]
如何使用 Spring-Security 3 和 Hibernate 4 将 spring security xml 配置 hibernate 转换为 java config
Spring Security sec:使用 Java Config 授权标签