使用Spring Boot + Vaadin使用REST Api实现一个简单的web应用程序。此外,在项目中连接了Security,使用登录密码进行简单的登录。Get()请求工作正常,但是403"禁止"PUT, POST, DELETE请求出错
我尝试使用http.httpBasic().and().csrf().disable()方法禁用csrf,它没有帮助,并且在生产中也不建议这样做。
我也试着给antMatchers()特别添加一个请求类型,像这样:http.httpBasic().and().authorizeRequests().antMatchers(HttpMethod.POST,"/**").permitAll(),也没有帮助。
配置类:
@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {
private static class SimpleInMemoryUserDetailsManager extends InMemoryUserDetailsManager {
public SimpleInMemoryUserDetailsManager() {
createUser(Manager.withUsername("manager1")
.password("{noop}123")
.roles(ROLE_MANAGER)
.build());
createUser(Manager.withUsername("manager2")
.password("{noop}123")
.roles(ROLE_MANAGER)
.build());
}
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.httpBasic().and().authorizeRequests().antMatchers("/enterprises/**").hasRole(ROLE_MANAGER);
super.configure(http);
setLoginView(http, LoginView.class);
}
@Bean
public InMemoryUserDetailsManager enterprisesService() {
return new SimpleInMemoryUserDetailsManager();
}
}
rest控制器:
@org.springframework.web.bind.annotation.RestController
@RequestMapping(path = "/")
public class RestController {
@Autowired
private VehiclesRepository vehiclesRepository;
@Autowired
private EnterprisesRepository enterprisesRepository;
@Autowired
private DriversRepository driversRepository;
@Autowired
private ManagersRepository managersRepository;
@GetMapping(
path = "/vehicles",
produces = "application/json")
public VehiclesDto getVehicles() {
VehiclesDto vehiclesDto = new VehiclesDto();
for (Vehicle vehicle : vehiclesRepository.findAll()) {
vehiclesDto.getVehicles().add(vehicle);
}
return vehiclesDto;
}
@GetMapping(
path = "/enterprises",
produces = "application/json")
public @ResponseBody EnterprisesDto getEnterprises(@RequestParam("managerId") String managerId) {
Manager manager = null;
for (Manager managerFromRepo : managersRepository.findAll()) {
if (managerFromRepo.getId().equals(Long.parseLong(managerId))) {
manager = managerFromRepo;
break;
}
}
EnterprisesDto enterprisesDto = new EnterprisesDto();
if (manager == null) return enterprisesDto;
for (Enterprise enterprise : enterprisesRepository.findAll()) {
if (manager.getEnterprises().contains(enterprise.getId()))
enterprisesDto.getEnterprises().add(enterprise);
}
return enterprisesDto;
}
@GetMapping(
path = "/drivers",
produces = "application/json")
public DriversDto getDrivers() {
DriversDto driversDto = new DriversDto();
for (Driver driver : driversRepository.findAll()) {
driversDto.getDrivers().add(driver);
}
return driversDto;
}
@PostMapping("/createVehicle")
public @ResponseBody String createVehicle(@RequestBody String info) {
return "it works!!!";
}
@DeleteMapping("/deleteVehicle")
public @ResponseBody String deleteVehicle(){
return "it works!!!";
}
}
使用Basic Authentication通过Postman测试请求
你可以为你的API禁用CSRF:
http.csrf().ignoringRequestMatchers(new AntPathRequestMatcher("/enterprises/**"));