我是初来乍到的春天。我试图在数据库中添加一个新目标。在我添加春季安全性之前,它是有效的,但现在如果我点击添加新目标,我有一个问题:
出现意外错误(类型=禁止,状态=403(。禁止
我的goat-add.html:
<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<title>Goals</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
</head>
<body>
<header th:insert="blocks/header :: header"></header>
<div class="container mt-5 mb-5">
<h1>Your goals</h1>
<form action="/goal/add" method="post">
<input type="text" name="name" placeholder="Write your goal name" class="form-control"><br>
<textarea type="text" name="description" placeholder="Write your goal description" class="form-control"></textarea><br>
<button type="submit" class="btn btn-success">Add goal</button>
</form>
</div>
<div th:insert="blocks/footer :: footer"></div>
</body>
</html>
WebSecurityConfig类:
package com.evgzabozhan.GoatGoal.config;
import com.evgzabozhan.GoatGoal.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login","/registration").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService)
.passwordEncoder(NoOpPasswordEncoder.getInstance());
}
}
我的控制器:
package com.evgzabozhan.GoatGoal.controller;
import com.evgzabozhan.GoatGoal.model.Goal;
import com.evgzabozhan.GoatGoal.model.User;
import com.evgzabozhan.GoatGoal.repository.GoalRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestParam;
import java.util.*;
@Controller
public class GoalController {
@Autowired
private GoalRepository goalRepository;
@GetMapping("/goal")
public String goal(Model model){
Iterable<Goal> goals = goalRepository.findAll();
model.addAttribute("goals",goals);
return "goal/goal-main";
}
@GetMapping("/goal/add")
public String getGoalAdd(Model model){
return "goal/goal-add";
}
@PostMapping("/goal/add")
public String postGoalAdd(@AuthenticationPrincipal User user,
@RequestParam String name,
@RequestParam String description, Model model){
Goal goal = new Goal(name,description,user);
goalRepository.save(goal);
model.addAttribute("message",user.getUsername());
return "redirect:/goal";
}
@GetMapping("/goal/{id}")
public String goalInfo(@PathVariable(value = "id") long id, Model model) {
if (!goalRepository.existsById(id)) {
return "redirect:/goal";
}
Optional<Goal> goal = goalRepository.findById(id);
ArrayList<Goal> result = new ArrayList<>();
goal.ifPresent(result::add);
model.addAttribute("goal", result);
return "goal/goal-info";
}
@GetMapping("/goal/{id}/edit")
public String goalEdit(@PathVariable(value = "id") long id, Model model){
if (!goalRepository.existsById(id)) {
return "redirect:/goal";
}
Optional<Goal> goal = goalRepository.findById(id);
ArrayList<Goal> result = new ArrayList<>();
goal.ifPresent(result::add);
model.addAttribute("goal", result);
return "goal/goal-edit";
}
@PostMapping("/goal/{id}/edit")
public String postGoalUpdate(@PathVariable(value = "id") long id,
@RequestParam String name,
@RequestParam String description,
Model model){
Goal goal = goalRepository.findById(id).orElseThrow();
goal.setName(name);
goal.setDescription(description);
goalRepository.save(goal);
return "redirect:/goal";
}
@PostMapping("/goal/{id}/remove")
public String postGoalRemove(@PathVariable(value = "id") long id, Model model){
Goal goal = goalRepository.findById(id).orElseThrow();
goalRepository.delete(goal);
return "redirect:/goal";
}
}
我读到这个问题可能是如果不使用csrf,但我不明白如何解决它。
所有代码:https://github.com/evgzabozhan/GoatGoal
谢谢你的帮助!
我认为这是因为没有一个目标调用是允许的操作
.antMatchers("/login","/registration").permitAll()
应该是
.antMatchers("/login","/registration","/goal").permitAll()
我在configure方法中添加了.csrf.disable((,它就工作了。
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login","/registration").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
它之所以有效,是因为在Spring 中默认启用了crsf