spring security POST请求 报403 Forbidden
Security配置代码:
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginProcessingUrl("/login") // 登录成功 .successHandler(loginSuccessHandler) // 登录失败 .failureHandler(loginFailureHandler).permitAll() .and() // 未登录请求资源 .exceptionHandling().authenticationEntryPoint(forbiddenEntryPoint) .and() // 允许任何请求(不管有没有权限以及拥有何种权限)登出 .logout().logoutSuccessHandler(logoutHandler); }
使用/**过滤掉了所有路径 ,但它还是报403,
修改成GET请示居然就通过了
为了查看这个请示具体的执行过程,把日志级别调整到debug,看一下是否有收获:
[2020-11-23 15:11:17,990][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] HttpSession returned null object for SPRING_SECURITY_CONTEXT (HttpSessionSecurityContextRepository.java:189) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@587bedb7. A new one will be created. (HttpSessionSecurityContextRepository.java:119) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] Invalid CSRF token found for http://localhost:8082/sysuser/getAllUsers (CsrfFilter.java:110) [2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4f1f9d8 (HstsHeaderWriter.java:129) [2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. (HttpSessionSecurityContextRepository.java:355) [2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] SecurityContextHolder now cleared, as request processing completed (SecurityContextPersistenceFilter.java:119) [2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] /error at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] /error at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] HttpSession returned null object for SPRING_SECURITY_CONTEXT (HttpSessionSecurityContextRepository.java:189) [2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@587bedb7. A new one will be created. (HttpSessionSecurityContextRepository.java:119) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] Checking match of request : '/error'; against '/logout' (AntPathRequestMatcher.java:176) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] Checking match of request : '/error'; against '/login' (AntPathRequestMatcher.java:176) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] saved request doesn't match (HttpSessionRequestCache.java:95) [2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@f39eef0f: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 03BB1A49755357199553DC4C322C410B; Granted Authorities: ROLE_ANONYMOUS' (AnonymousAuthenticationFilter.java:100) [2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' (FilterChainProxy.java:328) [2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' (FilterChainProxy.java:328) [2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] Request '/error' matched by universal pattern '/**' (AntPathRequestMatcher.java:166) [2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Secure object: FilterInvocation: URL: /error; Attributes: [permitAll] (AbstractSecurityInterceptor.java:219) [2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@f39eef0f: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 03BB1A49755357199553DC4C322C410B; Granted Authorities: ROLE_ANONYMOUS (AbstractSecurityInterceptor.java:348) [2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@34fa19b9, returned: 1 (AffirmativeBased.java:66) [2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Authorization successful (AbstractSecurityInterceptor.java:243) [2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] RunAsManager did not change Authentication object (AbstractSecurityInterceptor.java:256) [2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] /error reached end of additional filter chain; proceeding with original chain (FilterChainProxy.java:313) [2020-11-23 15:11:17,996][DEBUG][http-nio-8082-exec-1] "ERROR" dispatch for POST "/error", parameters={} (LogFormatUtils.java:90) [2020-11-23 15:11:17,997][DEBUG][http-nio-8082-exec-1] Mapped to public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> com.crhms.seabow.controller.ErrorController.error(javax.servlet.http.HttpServletRequest) (AbstractHandlerMapping.java:420) [2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] 执行Controller开始:ResponseEntity com.crhms.seabow.controller.ErrorController.error(HttpServletRequest) (LoggingInterceptor.java:38) [2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] 请求地址 : http://localhost:8082/error (LoggingInterceptor.java:66) [2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] HTTP方法 : POST (LoggingInterceptor.java:67) [2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] IP地址 : 0:0:0:0:0:0:0:1 (LoggingInterceptor.java:68) [2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 请求目标类 : com.crhms.seabow.controller.ErrorController.error (LoggingInterceptor.java:69) [2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 参数 : [SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@21b0f660]] (LoggingInterceptor.java:70) [2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 执行Controller结束: (LoggingInterceptor.java:42) [2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 耗时:1(毫秒). (LoggingInterceptor.java:45) [2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 请求处理结束:0000000000000000000000:<403 FORBIDDEN Forbidden,{msg=Forbidden, code=403},[]> (LoggingInterceptor.java:75) [2020-11-23 15:11:18,000][DEBUG][http-nio-8082-exec-1] Using 'application/json', given [*/*] and supported [application/json] (AbstractMessageConverterMethodProcessor.java:268) [2020-11-23 15:11:18,000][DEBUG][http-nio-8082-exec-1] Writing [{msg=Forbidden, code=403}] (LogFormatUtils.java:90) [2020-11-23 15:11:18,000][DEBUG][http-nio-8082-exec-1] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. (HttpSessionSecurityContextRepository.java:355) [2020-11-23 15:11:18,001][DEBUG][http-nio-8082-exec-1] Exiting from "ERROR" dispatch, status 403 (FrameworkServlet.java:1126) [2020-11-23 15:11:18,001][DEBUG][http-nio-8082-exec-1] Chain processed normally (ExceptionTranslationFilter.java:121) [2020-11-23 15:11:18,001][DEBUG][http-nio-8082-exec-1] SecurityContextHolder now cleared, as request processing completed (SecurityContextPersistenceFilter.java:119)
可以看/sysuser/getAllUsers这个请求在security的第四个filter:CsrfFilter是开始报错了,错误信息:Invalid CSRF token found for http://localhost:8082/sysuser/getAllUsers (CsrfFilter.java:110),
查阅资料后发现这是一个RESTful技术与CSRF(Cross-site request forgery跨站请求伪造)的冲突造成的,CSRF默认支持的方法: GET|HEAD|TRACE|OPTIONS,不支持POST。可以在security在配置中禁用掉它。
protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/**").permitAll() //需要权限ROLE_COMMON 才可以访问的路径 <a th:href="@{/common/test}">去test.html</a> //.antMatchers("/common/**").hasRole("COMMON") // 只有具有任意的某个权限就可以访问其他访问-没有权限还是无法访问的 .anyRequest().authenticated() .and() .formLogin() .loginProcessingUrl("/login") // 登录成功 .successHandler(loginSuccessHandler) // 登录失败 .failureHandler(loginFailureHandler).permitAll() .and() // 未登录请求资源 .exceptionHandling().authenticationEntryPoint(forbiddenEntryPoint) .and() // 允许任何请求(不管有没有权限以及拥有何种权限)登出 .logout().logoutSuccessHandler(logoutHandler) .and() .csrf().disable();; }
请示就可以正常访问了:
[2020-11-23 15:20:29,311][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,312][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,312][DEBUG][http-nio-8082-exec-2] No HttpSession currently exists (HttpSessionSecurityContextRepository.java:177) [2020-11-23 15:20:29,313][DEBUG][http-nio-8082-exec-2] No SecurityContext was available from the HttpSession: null. A new one will be created. (HttpSessionSecurityContextRepository.java:119) [2020-11-23 15:20:29,315][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,316][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,316][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', GET] (OrRequestMatcher.java:65) [2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Request 'POST /sysuser/getAllUsers' doesn't match 'GET /logout' (AntPathRequestMatcher.java:156) [2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', POST] (OrRequestMatcher.java:65) [2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Checking match of request : '/sysuser/getAllUsers'; against '/logout' (AntPathRequestMatcher.java:176) [2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', PUT] (OrRequestMatcher.java:65) [2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] Request 'POST /sysuser/getAllUsers' doesn't match 'PUT /logout' (AntPathRequestMatcher.java:156) [2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', DELETE] (OrRequestMatcher.java:65) [2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] Request 'POST /sysuser/getAllUsers' doesn't match 'DELETE /logout' (AntPathRequestMatcher.java:156) [2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] No matches found (OrRequestMatcher.java:72) [2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] Checking match of request : '/sysuser/getAllUsers'; against '/login' (AntPathRequestMatcher.java:176) [2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] saved request doesn't match (HttpSessionRequestCache.java:95) [2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,321][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@200ee26e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' (AnonymousAuthenticationFilter.java:100) [2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] Requested session ID 03BB1A49755357199553DC4C322C410B is invalid. (SessionManagementFilter.java:124) [2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' (FilterChainProxy.java:328) [2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' (FilterChainProxy.java:328) [2020-11-23 15:20:29,323][DEBUG][http-nio-8082-exec-2] Request '/sysuser/getAllUsers' matched by universal pattern '/**' (AntPathRequestMatcher.java:166) [2020-11-23 15:20:29,323][DEBUG][http-nio-8082-exec-2] Secure object: FilterInvocation: URL: /sysuser/getAllUsers; Attributes: [permitAll] (AbstractSecurityInterceptor.java:219) [2020-11-23 15:20:29,323][DEBUG][http-nio-8082-exec-2] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@200ee26e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS (AbstractSecurityInterceptor.java:348) [2020-11-23 15:20:29,329][DEBUG][http-nio-8082-exec-2] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@61252, returned: 1 (AffirmativeBased.java:66) [2020-11-23 15:20:29,329][DEBUG][http-nio-8082-exec-2] Authorization successful (AbstractSecurityInterceptor.java:243) [2020-11-23 15:20:29,329][DEBUG][http-nio-8082-exec-2] RunAsManager did not change Authentication object (AbstractSecurityInterceptor.java:256) [2020-11-23 15:20:29,330][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers reached end of additional filter chain; proceeding with original chain (FilterChainProxy.java:313) [2020-11-23 15:20:29,335][DEBUG][http-nio-8082-exec-2] POST "/sysuser/getAllUsers", parameters={} (LogFormatUtils.java:90) [2020-11-23 15:20:29,343][DEBUG][http-nio-8082-exec-2] Mapped to public java.util.Map com.crhms.seabow.controller.UserController.getAllUsers() (AbstractHandlerMapping.java:420) [2020-11-23 15:20:29,354][INFO ][http-nio-8082-exec-2] 执行Controller开始:Map com.crhms.seabow.controller.UserController.getAllUsers() (LoggingInterceptor.java:38) [2020-11-23 15:20:29,354][INFO ][http-nio-8082-exec-2] 请求地址 : http://localhost:8082/sysuser/getAllUsers (LoggingInterceptor.java:66) [2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] HTTP方法 : POST (LoggingInterceptor.java:67) [2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] IP地址 : 0:0:0:0:0:0:0:1 (LoggingInterceptor.java:68) [2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] 请求目标类 : com.crhms.seabow.controller.UserController.getAllUsers (LoggingInterceptor.java:69) [2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] 参数 : [] (LoggingInterceptor.java:70) [2020-11-23 15:20:29,358][INFO ][http-nio-8082-exec-2] 执行Controller结束: (LoggingInterceptor.java:42) [2020-11-23 15:20:29,358][INFO ][http-nio-8082-exec-2] 耗时:4(毫秒). (LoggingInterceptor.java:45) [2020-11-23 15:20:29,359][INFO ][http-nio-8082-exec-2] 请求处理结束:0000000000000000000000:{} (LoggingInterceptor.java:75) [2020-11-23 15:20:29,374][DEBUG][http-nio-8082-exec-2] Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json, application/x-jackson-smile, application/cbor] (AbstractMessageConverterMethodProcessor.java:268) [2020-11-23 15:20:29,374][DEBUG][http-nio-8082-exec-2] Writing [AjaxResponse(status=200, msg=, total=0, data={})] (LogFormatUtils.java:90) [2020-11-23 15:20:29,386][DEBUG][http-nio-8082-exec-2] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@45005c12 (HstsHeaderWriter.java:129) [2020-11-23 15:20:29,387][DEBUG][http-nio-8082-exec-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. (HttpSessionSecurityContextRepository.java:355) [2020-11-23 15:20:29,390][DEBUG][http-nio-8082-exec-2] Completed 200 OK (FrameworkServlet.java:1130) [2020-11-23 15:20:29,395][DEBUG][http-nio-8082-exec-2] Chain processed normally (ExceptionTranslationFilter.java:121) [2020-11-23 15:20:29,395][DEBUG][http-nio-8082-exec-2] SecurityContextHolder now cleared, as request processing completed (SecurityContextPersistenceFilter.java:119)
