Spring:总是说禁止 - 状态 403

【问题标题】:Spring : Always say forbidden - Status 403Spring:总是说禁止 - 状态 403
【发布时间】:2018-04-08 06:24:09
【问题描述】:

我已经为我的 spring 项目配置了所有设置,但是当我尝试登录应用程序时,它会针对每个请求说明

"The server understood the request but refuses to authorize it."

最初我尝试实现 JDBC 身份验证,(您可以看到我在代码中使用了数据源)。但是后来我也尝试了内存身份验证,在这两种情况下,我都无法访问资源。

下面是我的spring配置文件,

package com.nobalg.config;

import java.beans.PropertyVetoException;
import java.util.logging.Logger;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.env.Environment;
import org.springframework.web.servlet.ViewResolver;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.view.InternalResourceViewResolver;

import com.mchange.v2.c3p0.ComboPooledDataSource;

@Configuration
@EnableWebMvc
@ComponentScan(basePackages="com.nobalg")
@PropertySource("classpath:persistence-mysql.properties")
public class AppConfig {

    @Autowired
    private Environment env;

    private Logger logger = Logger.getLogger(getClass().getName());
    @Bean
    public ViewResolver viewResolver(){
        InternalResourceViewResolver resolver = new InternalResourceViewResolver();
        resolver.setPrefix("/WEB-INF/view/");
        resolver.setSuffix(".jsp");
        return resolver;
    }

    @Bean
    public DataSource secureDataSource(){
        ComboPooledDataSource dataSource = new ComboPooledDataSource();
        try {
            //Datasource
            dataSource.setDriverClass(env.getProperty("jdbc.driver"));
            dataSource.setJdbcUrl(env.getProperty("jdbc.url"));
            dataSource.setUser(env.getProperty("jdbc.user"));
            dataSource.setPassword(env.getProperty("jdbc.password"));

            //Connection polling
            dataSource.setInitialPoolSize(Integer.parseInt(env.getProperty("connection.pool.initialPoolSize")));
            dataSource.setMaxPoolSize(Integer.parseInt(env.getProperty("connection.pool.maxPoolSize")));
            dataSource.setMinPoolSize(Integer.parseInt(env.getProperty("connection.pool.minPoolSize")));
            dataSource.setMaxIdleTime(Integer.parseInt(env.getProperty("connection.pool.maxIdleTime")));
        } catch (PropertyVetoException e) {
            throw new RuntimeException(e);
        }
        return dataSource;
    }
}

Dispatcher Servlet 初始化程序文件

package com.nobalg.config;

import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;

public class MvcSpringInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

    @Override
    protected Class<?>[] getRootConfigClasses() {
        // TODO Auto-generated method stub
        return null;
    }

    @Override
    protected Class<?>[] getServletConfigClasses() {
        // TODO Auto-generated method stub
        return new Class[]{AppConfig.class};
    }

    @Override
    protected String[] getServletMappings() {
        // TODO Auto-generated method stub
        return new String[]{"/"};
    }

}

Spring 安全配置文件:

package com.nobalg.config;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource dataSource;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        //auth.jdbcAuthentication().dataSource(dataSource);
        auth.inMemoryAuthentication().withUser("Nobal").password("test@123").authorities("MANAGER");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                    .anyRequest()
                    .authenticated()
                    .and()
                    .formLogin()
                    .loginPage("/loginPage")
                    .loginProcessingUrl("/loginProcessing")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .permitAll();
    }


}

Spring 安全初始化文件

package com.nobalg.config;

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;


public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer {

}

唯一的控制器

package com.nobalg.controllers;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

@Controller
public class MainContoller {

    @GetMapping("/loginPage")
    public String showLoginForm(){
        return "login";
    }


}

和登录页面

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
    <%@ taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<form:form method="POST" action="${pageContext.request.contextPath}/loginProcessing">
<p>Enter Username : <input type="text" placeholder="Enter Username" name="username"></p>
<p>Enter Password : <input type="password" placeholder="Enter Password" name="password"></p>
<p><input type="submit" value="LOG IN"></p>
</form:form>

</body>
</html>

【问题讨论】:

    标签: java spring authentication authorization


    【解决方案1】:

    将此添加为您的表单字段:

    <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

    或者,如果您想使用 Spring Security JSP tag library 的其他方法:

    您可以选择禁用默认启用的csrf:

    @Override
protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
}

    编辑1

    使用 passwordEncoder 添加这个 bean。

    @Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

    并将密码编码器设置为 auth:

    @Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.passwordEncoder(this.passwordEncoder());
}

    编辑2

    将需要UserDetailsService.loginProcessingUrl("/loginProcessing")改为.defaultSuccessUrl("/")

    【讨论】:

    • 感谢您的回复,但我已经在使用 spring 的
      标签了,是不是和您建议的一样?
    • 您的表单没有包含 csrf 令牌。
    • 请看this
    • 请尝试禁用csrf一段时间并测试它,并告诉我。我会试着找出发生了什么。
    • 它说,内部错误,未映射密码编码器,id 为空
    猜你喜欢
    • 2020-02-11
    • 1970-01-01
    • 2016-02-29
    • 1970-01-01
    • 1970-01-01
    • 2020-12-18
    • 2021-11-06
    • 2016-06-11
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode