问题
I see this response when I try to add new post after authorization by admin.
I have Basic authorization which based on spring boot security:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
//...declared fields
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("user")
.password("userpass")
.roles("USER")
.and()
.withUser("admin")
.password("adminpass")
.roles("ADMIN", "USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login").permitAll()
.antMatchers("/logout").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and().logout().permitAll()
.and()
.formLogin()
.loginProcessingUrl("/login")
.permitAll()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
I get this message when try to add new post after authorization:
{
"timestamp": "2018-07-04T12:19:25.638+0000",
"status": 403,
"error": "Forbidden",
"message": "Forbidden",
"path": "/post/create"
}
in my controller:
@RestController
public class PostController {
@Autowired
private PostDAO postDAO;
@GetMapping("/posts")
public Page<Post> getAllPosts(Pageable pageable) {
return postDAO.findAll(pageable);
}
@PostMapping("/post/create")
public Post createPost(@Valid @RequestBody Post post) {
return postDAO.save(post);
}
//other end-points........
}
However, read operations from my controller work well but to CRUD operation I haven't access.
There are my dependencies:
dependencies {
compile ('org.springframework.boot:spring-boot-starter-web')
compile('org.springframework.boot:spring-boot-starter-data-jpa')
compile('org.hibernate:hibernate-core')
compile('org.springframework.boot:spring-boot-starter-security')
runtime('mysql:mysql-connector-java')
testCompile('org.springframework.boot:spring-boot-starter-test')
testCompile('org.springframework.security:spring-security-test')
testCompile('junit:junit')
}
Any idea? Thanks in advance!
回答1:
This is due to CSRF enabled. CSRF protection is enabled by default in the Java configuration. We can still disable CSRF using the configuration given below.
http .csrf().disable() .authorizeRequests() .anyRequest().permitAll();
Starting from Spring Security 4.x – the CSRF protection is enabled by default in the XML configuration as well; we can of course still disable it if we need to:
<http>
...
<csrf disabled="true"/>
</http>
Note : CSRF is an attack which forces an end user to execute unwanted actions in a web application in which is currently authenticated.
回答2:
here's why: csrf is automatically enabled in spring security,and I recommended you do not disable csrf. normally your html form tag should include a hidden field which generates csrf token, however, thymeleaf automaticlly do that for you, you should check your html tag to see whether or not a "th:" was included, if not, include a "th:" before "action" in form tag, do this, thymeleaf generates csrf token invisibablly.
来源:https://stackoverflow.com/questions/51174601/status-403-error-forbidden-message-forbidden-path-post-crea