下午好,
当我试图将一些数据POST到部署在tomcat上的服务器时,我遇到了一个错误。我认为这是春季安全问题。
在服务器上,这是我的安全设置:
try {
http.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.antMatchers("/mainMenu/admin/*").access("hasRole('" + ENUM_USER_ROLES.ADMIN.getValue() +"')")
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
.antMatchers(HttpMethod.GET,"/api/mobile/**").authenticated()
.antMatchers(HttpMethod.POST,"/api/mobile/**").authenticated()
// .antMatchers(HttpMethod.POST, "/api/mobile/**").access("hasRole('COMPANY_MOBILE')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
http.httpBasic();
} catch(Exception e) {
logger.error(e.getMessage());
}
在控制器中,我有两种方法:
@RequestMapping(value = "/api/mobile/test/1", method=RequestMethod.GET, produces={"application/json"})
public @ResponseBody String populateActivePSwapBasketGET() {
return "HELLO get";
}
@RequestMapping(value = "/api/mobile/test/2", method=RequestMethod.POST, produces={"application/json"})
public @ResponseBody String populateActivePSwapBasketPOST() {
return "HELLO post";
}
从我的android角度来看,我成功地调用了第一个GET方法,但POST方法抛出了
org.springframework.web.client.HttpClientErrorException:403禁止
在Android手机上,以下是我在服务器上调用Get和Post方法的两种方法。第二个给了我一个例外:
HttpAuthentication authHeader = new HttpBasicAuthentication(userName, password);
HttpHeaders requestHeaders = new HttpHeaders();
requestHeaders.setAuthorization(authHeader);
final Gson gson = new Gson();
// Create the request body as a MultiValueMap
MultiValueMap<String, String> body = new LinkedMultiValueMap<String, String>();
HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);
RestTemplate restTemplate = new RestTemplate(true);
try {
ResponseEntity<String> out1 = restTemplate.exchange(
AndroidPhoneProperties.REST_API + "/api/mobile/test/1",
HttpMethod.GET,
requestEntity,
String.class);
ResponseEntity<String> out2 = restTemplate.exchange(
AndroidPhoneProperties.REST_API + "/api/mobile/test/2",
HttpMethod.POST,
requestEntity,
String.class);
String asd = "";
} catch (HttpClientErrorException e) {
CustomAppLogging.e(this.getClass().getName(), CLASSNAME + " HttpClientErrorException " + e.getMessage());
}
这是我的服务器等级文件:
dependencies {
compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework:spring-jdbc:4.1.0.RELEASE")
compile("org.springframework.boot:spring-boot-starter-data-jpa")
compile("mysql:mysql-connector-java:5.1.+")
compile("org.webjars:bootstrap:3.0.3")
compile("org.webjars:jquery:2.0.3-1")
compile("org.springframework.security.oauth:spring-security-oauth2:2.0.7.RELEASE")
compile("org.thymeleaf:thymeleaf-spring4")
compile("nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect")
compile("org.springframework.boot:spring-boot-starter-web")
compile("com.google.code.gson:gson:2.2.4")
providedRuntime("org.springframework.boot:spring-boot-starter-tomcat")
testCompile("junit:junit")
}
这是我的android项目的Gradle文件:
dependencies {
compile fileTree(include: ['*.jar'], dir: 'libs')
compile 'com.android.support:appcompat-v7:22.2.0'
compile 'com.squareup.retrofit:retrofit:2.0.0-beta1'
compile 'com.squareup.retrofit:converter-gson:2.0.0-beta1'
compile 'com.squareup.retrofit:adapter-rxjava:2.0.0-beta1'
compile 'com.google.code.gson:gson:2.3'
compile 'org.springframework.android:spring-android-rest-template:2.0.0.M1'
compile 'com.android.support:design:22.2.0'
compile 'com.android.support:support-v4:22.1.1'
compile 'de.hdodenhof:circleimageview:1.3.0'
}
当我测试这个时,我从命令行运行它,如下所示:
java-Xdebug-Xrungdwp:server=y,transport=dt_socket,address=8000,suspend=n-jar build/libs/xxxx-0.1.0.jar
我在哪里可以看到来自Spring安全性的日志,这些日志可以告诉我POST被拒绝的原因的更多信息?如果我切换到在tomcat服务器上部署它,我会得到更好的日志吗?
如果你想了解更多信息,请询问。
谢谢你的帮助。
禁用CSRF。
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// ...
.csrf().disable();
}
答案张贴在这里:
spring security 403错误