【发布时间】:2017-03-12 16:42:33
【问题描述】:
我正在使用 spring 安全性创建一个带有 spring 的项目,但我只遇到了我的 api 的问题(所有控制器都与 csrf 一起正常工作)。但似乎 csrf 对我的 api 造成了问题,因为当我向我的 api 发出请求时,我得到:
{"id":41,"titulo":"vineta3","creationdate":1489421003000,"URL":"http://i2.kym-cdn.com/photos/images/facebook/000/125/918/RMUBQ.png","likes":0,"dislikes":0,"descripcion":"des3"}{"timestamp":1489421218765,"status":200,"error":"OK","exception":"java.lang.IllegalStateException","message":"Cannot create a session after the response has been committed","path":"/api/vineta/41/"}
最后的信息:
{"timestamp":1489421218765,"status":200,"error":"OK","exception":"java.lang.IllegalStateException","message":"Cannot create a session after the response has been committed","path":"/api/vineta/41/"}
当我的项目没有春季安全时,不会返回。我将下一个代码用于我的安全配置。
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
public UserRepositoryAuthenticationProvider authenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
// Public pages
http.authorizeRequests().antMatchers("/").permitAll();
http.authorizeRequests().antMatchers("/login").permitAll();
http.authorizeRequests().antMatchers("/loginerror").permitAll();
http.authorizeRequests().antMatchers("/registro").permitAll();
http.authorizeRequests().antMatchers("/signup").permitAll();
http.authorizeRequests().antMatchers(HttpMethod.GET, "/api/**").permitAll();
// Private pages (all other pages)
http.authorizeRequests().antMatchers("/home").hasAnyRole("USER");
//http.authorizeRequests().antMatchers("/crearComentario/vineta/{id}").hasAnyRole("USER");
// Login form
http.formLogin().loginPage("/login");
http.formLogin().usernameParameter("username");
http.formLogin().passwordParameter("password");
http.formLogin().defaultSuccessUrl("/home");
http.formLogin().failureUrl("/loginerror");
// Logout
http.logout().logoutUrl("/logout");
http.logout().logoutSuccessUrl("/");
}
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
// Database authentication provider
auth.authenticationProvider(authenticationProvider);
}
}
我的 csrf 的下一个:
@Configuration
public class CSRFHandlerConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new CSRFHandlerInterceptor());
}
}
class CSRFHandlerInterceptor extends HandlerInterceptorAdapter {
@Override
public void postHandle(final HttpServletRequest request,
final HttpServletResponse response, final Object handler,
final ModelAndView modelAndView) throws Exception {
CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
modelAndView.addObject("token", token.getToken());
}
}
在控制台中,我可以看到以下日志: 在
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.0.32.jar:8.0.32]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_25]
Caused by: java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:2928) ~[tomcat-embed-core-8.0.32.jar:8.0.32]
我没有使用 SingleTransactionsController,这可能是问题所在?
【问题讨论】:
-
更改后我现在得到:{"timestamp":1489421060885,"status":200,"error":"OK","exception":"java.lang.IllegalStateException","message ":"在提交响应后无法创建会话","path":"/api/usuarios/"} 并且在我的控制台上我看到:ERROR 32628 --- [nio-8080-exec-3] o.a.c.c.C. [Tomcat].[localhost] : 异常处理ErrorPage[errorCode=0, location=/error] org.springframework.web.util.NestedServletException: 请求处理失败;嵌套异常是 java.lang.IllegalStateException: 响应提交后无法创建会话
标签: spring spring-boot spring-security spring-tool-suite