Spring安全过滤器阻止restful api调用

Question

我有一个使用 Spring 4 的 Web 应用程序。我在这里使用 Spring 安全性。与此同时，我需要打开一个没有安全性的宁静 api。问题是在启用安全过滤器之前，我的其余 POST 调用得到 405 Method Not Allowed 响应（GET 仍然有效）。同时服务器日志显示

.11:27:13.058 [http-bio-8080-exec-5] WARN  o.s.web.servlet.PageNotFound - Request method 'POST' not supported

当我从 web.xml POST 评论安全过滤器时，它工作正常。我尝试在安全 xml 中添加以下行，但没有帮助。

<intercept-url pattern="/rest**" access="permitAll" />

我的 web.xml ，安全过滤器是和结束时评论 POST 开始工作。

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
      http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     version="2.5">

<display-name>Counter Web Application</display-name>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<!-- Loads Spring Security config file -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/application-security.xml,
        /WEB-INF/application-database.xml
    </param-value>
</context-param>

 <!--Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

我的应用程序-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http security="none" pattern="**/resources/**"/>

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">

    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

    <intercept-url pattern="/rest**" access="permitAll" />

    <!-- access denied page -->
    <access-denied-handler error-page="/access-denied" />

    <form-login
            login-page="/login"
            default-target-url="/admin/dashboard"
            authentication-failure-url="/login?error"
            username-parameter="username"
            password-parameter="password" />
    <logout logout-success-url="/login?logout"  />
    <!-- enable csrf protection -->
    <csrf/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>

    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
                           users-by-username-query="select username,password, enabled from users where username=?"
                           authorities-by-username-query="select username, role from user_roles where username =?" />
    </authentication-provider>

</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

我的休息控制器。我也有其他控制器。我这里只是假约会。首先要让事情顺利进行。

    @RestController
    @RequestMapping("/rest/orders")
    public class OrderRestController {

    @Autowired
    private FoodItemService foodItemService;

    @RequestMapping(value = "", method = RequestMethod.POST)
    public Order addOrder(Order orderDto) {
        return orderDto;
    }

    @RequestMapping(value = "", method = RequestMethod.GET)
    public Order getOrder() {
        FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
        Order orderDto = new Order();
        orderDto.setRoomId(23);
        OrderItem orderItem = new OrderItem();
        orderItem.setFoodItem(foodItem);
        orderItem.setAmount(4);
        List<OrderItem> orderItems = new LinkedList<OrderItem>();
        orderItems.add(orderItem);
        orderDto.setOrderItemList(orderItems);
        return orderDto;
    }

Answer 1

问题是 csrf 被启用。应该进一步研究禁用 csrf 和安全性，但目前禁用它是解决方案。

Answer 2

通过查看您的控制器，您似乎有 2 个没有价值的方法，它们正试图响应 URL ..../rest/orders;我会这样写：

@RestController
@RequestMapping("/rest/orders")
public class OrderRestController {

@Autowired
private FoodItemService foodItemService;

@RequestMapping(value = "addOrder", method = RequestMethod.POST)
public Order addOrder(Order orderDto) {
    return orderDto;
}

@RequestMapping(value = "getOrder", method = RequestMethod.GET)
public Order getOrder() {
    FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
    Order orderDto = new Order();
    orderDto.setRoomId(23);
    OrderItem orderItem = new OrderItem();
    orderItem.setFoodItem(foodItem);
    orderItem.setAmount(4);
    List<OrderItem> orderItems = new LinkedList<OrderItem>();
    orderItems.add(orderItem);
    orderDto.setOrderItemList(orderItems);
    return orderDto;
}

之后，如果我想调用 addOrder 方法，我会对 URL /rest/orders/addOrder 进行 REST 调用（使用 POST 方法），如果我想调用 getOrder 方法，我会做一个对 URL /rest/orders/getOrder 的 REST 调用。此外，我会将参数（例如 orderId）传递给 getOrder 方法，以便加载所选订单

Answer 3

你试过了吗：

<intercept-url pattern="/rest/**" access="permitAll" />