问题
I'm setting up Spring Security in my project and I'm having some trouble hitting one of my rest endpoints. I receive an "Error: Forbidden" response from the server when I hit the endpoint through my client.
What I'm doing is going to the login page (I assume at this point I'm an anonymous user with ROLE_ANONYMOUS) and clicking a tab that shows me a create new account form.
When I fill out the fields and hit submit then the rest endpoint is called and the JSON data is sent to the server. In my security configuration I have posted below the endpoint url I'm using, /createUserAccount/submit
, is set to work with the ROLE_ANONYMOUS and ROLE_ADMIN roles in the filterSecurityInterceptor
bean xml.
Since I'm an anonymous user on the login page I thought that hitting that endpoint would work, but it's not. All the files relevant to my problem are below.
Here's my controller:
@Controller
@RequestMapping("/createUserAccount")
@SessionAttributes("userAccount")
public class CreateUserAccountController {
private final String loginViewName = "login";
private CreateUserAccountValidator validator;
private UserAccountManager userAccountManager;
@Autowired
public CreateUserAccountController(
@Qualifier("createUserAccountValidator") CreateUserAccountValidator validator,
@Qualifier("userAccountManager") UserAccountManager userAccountManager) {
this.validator = validator;
this.userAccountManager = userAccountManager;
}
@RequestMapping(value="/submit", method = RequestMethod.POST)
@ResponseBody
public GenericJsonDTO submitForm(@RequestBody UserAccount userAccount, BindingResult result, SessionStatus status){
JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
validator.validate(userAccount, result);
if(!result.hasErrors()) {
userAccountManager.createUserAccount(userAccount);
status.setComplete();
}
return jsonFactory.getDto();
}
}
I have my server setup so I can debug during runtime, I put a breakpoint on the line
JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
to see if the function is ever entered when the /createUserAccount/submit
endpoint is called. The function is never entered.
Below is my security configuration. I've been starting to incorporate ACL security so the configuration file is pretty long. I think the problem is in either the http element
or filterSecurityInterceptor
bean configuration xml. The filterSecurityInterceptor
XML is where my URI permissions are defined.
<global-method-security pre-post-annotations="enabled"
secured-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>
<http use-expressions="true">
<intercept-url pattern="/**" requires-channel="https" />
<!--<intercept-url pattern="/gravytrack/dashboard**" requires-channel="https" access="ROLE_USER"/>-->
<http-basic />
<session-management>
<concurrency-control max-sessions="10"
error-if-maximum-exceeded="true" />
</session-management>
<anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
</http>
<beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" />
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder ref="passwordEncoder"/>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT email, password, enabled FROM user_account
WHERE email = ?" />
</authentication-provider>
</authentication-manager>
<beans:bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<beans:constructor-arg>
<util:list>
<filter-chain pattern="/images/**" filters="" />
<filter-chain pattern="/**"
filters="securityContextPersistenceFilterWithASCFalse,
basicAuthenticationFilter,
basicExceptionTranslationFilter,
filterSecurityInterceptor" />
</util:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCFalse"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<beans:bean id="securityContextPersistenceFilterWithASCTrue"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
</beans:bean>
<!--......................-->
<!-- basic authentication -->
<!--......................-->
<beans:bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<beans:constructor-arg name="authenticationManager">
<beans:ref bean="authenticationManager" />
</beans:constructor-arg>
<beans:constructor-arg name="authenticationEntryPoint">
<beans:ref bean="basicAuthenticationEntryPoint" />
</beans:constructor-arg>
</beans:bean>
<beans:bean id="basicAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="gravytrack.com" />
</beans:bean>
<beans:bean id="basicExceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:constructor-arg name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
<beans:property name="accessDeniedHandler" ref="basicAccessDeniedHandler" />
</beans:bean>
<beans:bean id="basicAccessDeniedHandler"
class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</beans:bean>
<!--......................-->
<!-- security -->
<!--......................-->
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="securityMetadataSource">
<filter-security-metadata-source use-expressions="false">
<intercept-url pattern="/login.jsp*"
access="ROLE_ANONYMOUS,ROLE_ADMIN" />
<intercept-url pattern="/gravytrack/createUserAccount/*"
access="ROLE_ANONYMOUS,ROLE_ADMIN" />
<intercept-url pattern="/images/**"
access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
<intercept-url pattern="/admin.htm*" access="ROLE_ADMIN" />
<intercept-url pattern="/**"
access="ROLE_USER,ROLE_ADMIN" />
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:constructor-arg name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.access.vote.AuthenticatedVoter" />
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<beans:bean id="permissionEvaluator"
class="org.springframework.security.acls.AclPermissionEvaluator">
<beans:constructor-arg ref="aclService" />
</beans:bean>
<beans:bean id="aclService"
class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
<beans:constructor-arg ref="dataSource" />
<beans:constructor-arg ref="lookupStrategy" />
<beans:constructor-arg ref="aclCache" />
<beans:property name="sidIdentityQuery"
value="SELECT max(id) FROM acl_sid" />
<beans:property name="classIdentityQuery"
value="SELECT max(id) FROM acl_class" />
<!--
<beans:property name="sidIdentityQuery"
value="select currval(pg_get_serial_sequence('acl_sid', 'id'))" />
<beans:property name="classIdentityQuery"
value="select currval(pg_get_serial_sequence('acl_class', 'id'))" />
-->
</beans:bean>
<beans:bean id="consoleAuditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>
<beans:bean id="lookupStrategy"
class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
<beans:constructor-arg ref="dataSource" />
<beans:constructor-arg ref="aclCache" />
<beans:constructor-arg ref="aclAuthorizationStrategy" />
<beans:constructor-arg ref="consoleAuditLogger"/>
</beans:bean>
<beans:bean id="aclAuthorizationStrategy"
class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
<beans:constructor-arg>
<beans:list>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
<beans:bean
class="org.springframework.security.core.authority.SimpleGrantedAuthority">
<beans:constructor-arg value="ROLE_ADMIN" />
</beans:bean>
</beans:list>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
<beans:constructor-arg ref="consoleAuditLogger"/>
</beans:bean>
<beans:bean id="aclCache"
class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
<beans:constructor-arg>
<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<beans:property name="cacheManager">
<beans:bean
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
</beans:property>
<beans:property name="cacheName" value="aclCache" />
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg ref="permissionGrantingStrategy" />
<beans:constructor-arg ref="aclAuthorizationStrategy" />
</beans:bean>
</beans:beans>
Last but not least here's my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- Log4j configuration loading -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.xml</param-value>
</context-param>
<!-- Bootstrapping context loading -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/gravytrack-servlet.xml
/WEB-INF/gravytrack-services.xml
/WEB-INF/gravytrack-security.xml
</param-value>
</context-param>
<context-param>
<param-name>webAppRootKey</param-name>
<param-value>gravytrack.root</param-value>
</context-param>
<!-- session management listener -->
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<session-config>
<!-- session times out if no activities for 30 minutes -->
<session-timeout>30</session-timeout>
</session-config>
<!-- defining the DispatcherServlet -->
<servlet>
<servlet-name>gravytrack</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>gravytrack</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<!--<servlet-mapping>-->
<!--<servlet-name>gravytrack</servlet-name>-->
<!--<url-pattern>*.html</url-pattern>-->
<!--</servlet-mapping>-->
<!-- Security entry point -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- webflow -->
<!--
<servlet-mapping>
<servlet-name>soba</servlet-name>
<url-pattern>/flow/*</url-pattern>
</servlet-mapping>
-->
<!-- defining the DefaultServlet -->
<servlet>
<servlet-name>DefaultServlet</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>DefaultServlet</servlet-name>
<url-pattern>*.jpg</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DefaultServlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/jsp/notfound.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>
login.jsp
</welcome-file>
</welcome-file-list>
<!-- Spring jsp tag lib -->
<jsp-config>
<taglib>
<taglib-uri>/spring</taglib-uri>
<taglib-location>/WEB-INF/tld/spring-form.tld</taglib-location>
</taglib>
</jsp-config>
</web-app>
I'm having a hard time trying to figure out what's wrong so any help is greatly appreciated.
回答1:
By default Spring security enables CSRF and every POST request as it expects a csrf token. Check the Spring CSRF documentation..
You can switchoff CSRF like this in your config to test already if it's the problem
<http auto-config="false">
<csrf disabled="true"/>
if you dont want to switchoff CSRF, you must POST the csrf tokens like this
<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
<input type="submit" value="Log out" />
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
来源:https://stackoverflow.com/questions/32335602/spring-security-error-forbidden-response-from-rest-endpoint