【发布时间】:2014-03-29 16:50:14
【问题描述】:
我有使用 Spring-Security 的带有 REST API 的 Spring 应用程序。问题是某些 POST 函数有时会通过返回 200 OK 正常工作,然后开始给我“405 Method Not Allowed”响应。这很奇怪,因为在我进行摘要身份验证后,前几个调用正常(200 OK),然后其余的返回 405。
这是我的配置:
控制器
@Controller
@RequestMapping("/restapi")
public class RestApiController {
private final static Logger logger = LoggerFactory.getLogger(ProviderApiController.class);
private Settings settings;
@RequestMapping(value = "/postmethod", method = RequestMethod.POST, consumes = MediaType.ALL_VALUE)
@ResponseBody
public String postmethod() {
return "OK";
}
}
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/application-context.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<servlet>
<servlet-name>dispatcherServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/web-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>10</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
<error-page>
<error-code>401</error-code>
<location>/error/401</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error/404</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error/500</location>
</error-page>
</web-app>
web-context.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
<mvc:annotation-driven/>
<context:annotation-config/>
<context:component-scan base-package="com.rest.ws"/>
<!-- Enabling @Secured annotation to control access to the endpoints -->
<security:global-method-security secured-annotations="enabled"/>
<bean id="logginAspect" class="com.rest.aspect.LoggingAspect"/>
<aop:aspectj-autoproxy proxy-target-class="true">
<aop:include name="logginAspect" />
</aop:aspectj-autoproxy>
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/error/" />
<property name="suffix" value=".jsp" />
</bean>
</beans>
application-context.xml
<context:component-scan base-package="com.rest">
<context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
</context:component-scan>
<!-- Define entry point with no authentication -->
<security:http pattern="/restapi/secureFunc" security="none" />
<security:http entry-point-ref="digestEntryPoint">
<security:custom-filter ref="digestFilter" before="BASIC_AUTH_FILTER"/>
<security:http-basic />
<!-- Restricts anonymous access to all the pages -->
<security:intercept-url pattern="/restapi/**" access="ROLE_PROVIDER_TMPL" />
</security:http>
<security:authentication-manager>
<security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>
当我添加自定义/error 页面并将web.xml 中的dispatcherServlet 中的url-pattern 从/* 更改为/ 时,该问题首次出现。
错误页面的控制器:
@Controller
@RequestMapping("/error")
public class CustomErrorMappingController {
@RequestMapping(value = "/404", method = RequestMethod.GET)
public String pageNotFound(HttpServletRequest request, HttpServletResponse response, Model model) {
/*
* you can use the model,request and response object to customize the response
*/
return "pageNotFoundError";
}
@RequestMapping(value = "/500", method = RequestMethod.GET)
public String internalServerError(HttpServletRequest request, HttpServletResponse response, Model model) {
return "internalServerError";
}
@RequestMapping(value = "/401", method = RequestMethod.GET)
public String unauthorized(HttpServletRequest request, HttpServletResponse response, Model model) {
logger.debug("--- 401 Unauthorized");
return "unauthorizedError";
}
@RequestMapping(value = "/unauthorizedError.jsp", method = RequestMethod.GET)
public String unauthorizedError() {
return "Unauthorized error custom.";
}
}
错误页面是目录 /error 中名为 internalServerError.jsp 等的 JSP。
非常欢迎任何建议。
【问题讨论】:
-
为什么要将 web.xml 中 dispatcherServlet 中的 url-pattern 从 /* 更改为 /?如果出现错误页面,'/*' 是否不起作用?
-
@Braj 这确实是一个正确的问题。
-
是的,我无法让错误页面与 url-pattern /* 一起使用。我已经为映射到/error/401等的错误页面创建了一个控制器……我将把代码添加到上面的帖子中。
-
您的错误页面中有
method = RequestMethod.GET。对于任何 POST 且有错误的请求,这不是问题吗?我想这就是问题所在。 -
啊,现在有线索了。你之前没这么说。您需要确保容器中的默认 servlet 已注册。您是否在某处
WebMvcConfigurerAdapter.configureDefaultServletHandling()到您的 servlet 配置(或 XML 中的<mvc:default-servlet-handler />)?
标签: java spring rest spring-security