spring security3.1升级到4.1问题(1)访问/j_spring_security_check 404

升级完后,发现登录不进去,把post改成get好了,但是系统的提交表单功能都不能用了,也是解决了很长时间,最后找到了根本原因。

spring sercurity 4.0 csrf保护是默认开启的,csrf过滤器会检查post过来的数据有没有token,没有则失败。

解决方法一:加入<csrf disabled="true" />配置

解决方法二:不过滤指定的url

自己弄一个Matcher

 1 package com.cnblogs.yjmyzz.utils;
2
3 import java.util.List;
4 import java.util.regex.Pattern;
5
6 import javax.servlet.http.HttpServletRequest;
7
8 import org.springframework.security.web.util.matcher.RequestMatcher;
9
10 public class CsrfSecurityRequestMatcher implements RequestMatcher {
11 private Pattern allowedMethods = Pattern 12 .compile("^(GET|HEAD|TRACE|OPTIONS)$");
13
14 public boolean matches(HttpServletRequest request) {
15
16 if (execludeUrls != null && execludeUrls.size() > 0) {
17 String servletPath = request.getServletPath();
18 for (String url : execludeUrls) {
19 if (servletPath.contains(url)) {
20 return false;
21 }
22 }
23 }
24 return !allowedMethods.matcher(request.getMethod()).matches();
25 }

26
27 /**
28 * 需要排除的url列表
29 */
30 private List<String> execludeUrls;

31
32 public List<String> getExecludeUrls() {
33 return execludeUrls;
34 }

35
36 public void setExecludeUrls(List<String> execludeUrls) {
37 this.execludeUrls = execludeUrls;
38 }
39 }


这里添加了一个属性execludeUrls,允许人为排除哪些url。

然后在配置文件里,这样修改:

 1     <http entry-point-ref="loginEntryPoint" use-expressions="true">

2 ...
3 <intercept-url pattern="/rest/**" access="permitAll" />

4 ...
5 <csrf request-matcher-ref="csrfSecurityRequestMatcher"/>
6 </http>

7
8 <beans:bean id="csrfSecurityRequestMatcher" class="com.cnblogs.yjmyzz.utils.CsrfSecurityRequestMatcher">
9 <beans:property name="execludeUrls">
10 <beans:list>
11 <beans:value>/rest/</beans:value>
12 </beans:list>
13 </beans:property>
14 </beans:bean>


这里约定所有/rest/开头的都是Rest服务地址,上面的配置就把/rest/排除在csrf验证的范围之外了.

解决方法三:加入csrf的token

参考http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout

posted @ 2018-05-22 12:06  星朝  阅读(1256)  评论(0编辑  收藏  举报