那些遇到过的问题

小编sha*_*nim的帖子

在使用Java Config的Spring-Security中,为什么httpBasic POST需要csrf令牌?

我正在使用带有Java配置的Spring-Security 3.2.0.RC2.我设置了一个简单的HttpSecurity配置,要求/ v1/**上的基本身份验证.GET请求工作但POST请求失败:

HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
Run Code Online (Sandbox Code Playgroud)

我的安全配置如下所示:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Resource
private MyUserDetailsService userDetailsService;

@Autowired
//public void configureGlobal(AuthenticationManagerBuilder auth)
public void configure(AuthenticationManagerBuilder auth)
        throws Exception {
    StandardPasswordEncoder encoder = new StandardPasswordEncoder(); 
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}

@Configuration
@Order(1)
public static class RestSecurityConfig
        extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/v1/**").authorizeRequests()
                .antMatchers("/v1/**").authenticated()
            .and().httpBasic();
    }
}

}
Run Code Online (Sandbox Code Playgroud)

对此的任何帮助都非常感谢.

post csrf spring-security basic-authentication spring-java-config

sha*_*nim
lucky-day
33
推荐指数
2
解决办法
3万
查看次数

spring-security 登录?注销重定向到登录

我正在使用带有 java 配置和两个 HttpSecurity 配置的 spring-security 3.2.0.RC2。一种用于 REST API,一种用于 UI。当我发布到 /logout 时,它会重定向到 /login?logout 但随后(错误地)重定向到 /login。当我成功输入用户名和密码时,我会被重定向到登录?注销,并且必须再次输入凭据才能进入主页。所以看来登录的 PermitAll 并没有被登录?注销所接受。

我的安全配置如下所示:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Resource
private MyUserDetailsService userDetailsService;

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth)
        throws Exception {
    StandardPasswordEncoder encoder = new StandardPasswordEncoder(); 
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
}

@Configuration
@Order(1)
public static class RestSecurityConfig
        extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatcher("/v1/**").authorizeRequests()
                .antMatchers("/v1/admin/**").hasRole("admin")
                .antMatchers("/v1/account/**").hasRole("admin")
                .antMatchers("/v1/plant/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/v1/upload/**").access("hasRole('admin') or hasRole('dataProvider')")
                .antMatchers("/v1/**").authenticated()
            .and().httpBasic();
    }
}

@Configuration
@Order(2)
public static …
Run Code Online (Sandbox Code Playgroud)

java redirect spring spring-security logout

sha*_*nim
lucky-day
5
推荐指数
1
解决办法
5303
查看次数

标签 统计

spring-security ×2

basic-authentication ×1

csrf ×1

java ×1

logout ×1

post ×1

redirect ×1

spring ×1

spring-java-config ×1