Spring Security - “Error: Forbidden” response from rest endpoint

一笑奈何 提交于 2019-12-25 16:38:06

问题


I'm setting up Spring Security in my project and I'm having some trouble hitting one of my rest endpoints. I receive an "Error: Forbidden" response from the server when I hit the endpoint through my client.

What I'm doing is going to the login page (I assume at this point I'm an anonymous user with ROLE_ANONYMOUS) and clicking a tab that shows me a create new account form.

When I fill out the fields and hit submit then the rest endpoint is called and the JSON data is sent to the server. In my security configuration I have posted below the endpoint url I'm using, /createUserAccount/submit, is set to work with the ROLE_ANONYMOUS and ROLE_ADMIN roles in the filterSecurityInterceptor bean xml.

Since I'm an anonymous user on the login page I thought that hitting that endpoint would work, but it's not. All the files relevant to my problem are below.

Here's my controller:

@Controller
@RequestMapping("/createUserAccount")
@SessionAttributes("userAccount")
public class CreateUserAccountController {
    private final String loginViewName = "login";
    private CreateUserAccountValidator validator;
    private UserAccountManager userAccountManager;

    @Autowired
    public CreateUserAccountController(
            @Qualifier("createUserAccountValidator") CreateUserAccountValidator validator,
            @Qualifier("userAccountManager") UserAccountManager userAccountManager) {
        this.validator = validator;
        this.userAccountManager = userAccountManager;
    }

    @RequestMapping(value="/submit", method = RequestMethod.POST)
    @ResponseBody
    public GenericJsonDTO submitForm(@RequestBody UserAccount userAccount, BindingResult result, SessionStatus status){
        JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");
        validator.validate(userAccount, result);

        if(!result.hasErrors()) {
            userAccountManager.createUserAccount(userAccount);
            status.setComplete();
        }
        return jsonFactory.getDto();
    }
}

I have my server setup so I can debug during runtime, I put a breakpoint on the line

JsonFactory jsonFactory = new JsonFactory(result, "/gravytrack/dashboard");

to see if the function is ever entered when the /createUserAccount/submit endpoint is called. The function is never entered.

Below is my security configuration. I've been starting to incorporate ACL security so the configuration file is pretty long. I think the problem is in either the http element or filterSecurityInterceptor bean configuration xml. The filterSecurityInterceptor XML is where my URI permissions are defined.

<global-method-security pre-post-annotations="enabled"
                            secured-annotations="enabled">
        <expression-handler ref="expressionHandler" />
    </global-method-security>

    <http use-expressions="true">
        <intercept-url pattern="/**" requires-channel="https" />
        <!--<intercept-url pattern="/gravytrack/dashboard**" requires-channel="https" access="ROLE_USER"/>-->
        <http-basic />
        <session-management>
            <concurrency-control max-sessions="10"
                                 error-if-maximum-exceeded="true" />
        </session-management>
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
    </http>

    <beans:bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder" />

    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <password-encoder ref="passwordEncoder"/>
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="SELECT email, password, enabled FROM user_account
                                            WHERE email = ?" />

        </authentication-provider>
    </authentication-manager>

    <beans:bean id="springSecurityFilterChain"
                class="org.springframework.security.web.FilterChainProxy">
        <beans:constructor-arg>
            <util:list>
                <filter-chain pattern="/images/**" filters="" />
                <filter-chain pattern="/**"
                              filters="securityContextPersistenceFilterWithASCFalse,
                                   basicAuthenticationFilter,
                                   basicExceptionTranslationFilter,
                                   filterSecurityInterceptor" />
            </util:list>
        </beans:constructor-arg>
    </beans:bean>
    <beans:bean id="securityContextPersistenceFilterWithASCFalse"
                class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    </beans:bean>

    <beans:bean id="securityContextPersistenceFilterWithASCTrue"
                class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    </beans:bean>

    <!--......................-->
    <!-- basic authentication -->
    <!--......................-->
    <beans:bean id="basicAuthenticationFilter"
                class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
        <beans:constructor-arg name="authenticationManager">
            <beans:ref bean="authenticationManager" />
        </beans:constructor-arg>
        <beans:constructor-arg name="authenticationEntryPoint">
            <beans:ref bean="basicAuthenticationEntryPoint" />
        </beans:constructor-arg>
    </beans:bean>
    <beans:bean id="basicAuthenticationEntryPoint"
                class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
        <beans:property name="realmName" value="gravytrack.com" />
    </beans:bean>

    <beans:bean id="basicExceptionTranslationFilter"
                class="org.springframework.security.web.access.ExceptionTranslationFilter">
        <beans:constructor-arg name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
        <beans:property name="accessDeniedHandler" ref="basicAccessDeniedHandler" />
    </beans:bean>

    <beans:bean id="basicAccessDeniedHandler"
                class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    </beans:bean>

    <!--......................-->
    <!--       security       -->
    <!--......................-->
    <beans:bean id="filterSecurityInterceptor"
                class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">

        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="accessDecisionManager" ref="accessDecisionManager" />

        <beans:property name="securityMetadataSource">
            <filter-security-metadata-source use-expressions="false">
                <intercept-url pattern="/login.jsp*"
                               access="ROLE_ANONYMOUS,ROLE_ADMIN" />
                <intercept-url pattern="/gravytrack/createUserAccount/*"
                               access="ROLE_ANONYMOUS,ROLE_ADMIN" />
                <intercept-url pattern="/images/**"
                               access="ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN" />
                <intercept-url pattern="/admin.htm*" access="ROLE_ADMIN" />
                <intercept-url pattern="/**"
                               access="ROLE_USER,ROLE_ADMIN" />
            </filter-security-metadata-source>
        </beans:property>

    </beans:bean>

    <beans:bean id="accessDecisionManager"
                class="org.springframework.security.access.vote.AffirmativeBased">
        <beans:constructor-arg name="decisionVoters">
            <beans:list>
                <beans:bean class="org.springframework.security.access.vote.RoleVoter" />
                <beans:bean
                        class="org.springframework.security.access.vote.AuthenticatedVoter" />
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>


    <beans:bean id="expressionHandler"
                class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <beans:property name="permissionEvaluator" ref="permissionEvaluator" />
    </beans:bean>

    <beans:bean id="permissionEvaluator"
                class="org.springframework.security.acls.AclPermissionEvaluator">
        <beans:constructor-arg ref="aclService" />
    </beans:bean>

    <beans:bean id="aclService"
                class="org.springframework.security.acls.jdbc.JdbcMutableAclService">
        <beans:constructor-arg ref="dataSource" />
        <beans:constructor-arg ref="lookupStrategy" />
        <beans:constructor-arg ref="aclCache" />
        <beans:property name="sidIdentityQuery"
                        value="SELECT max(id) FROM acl_sid" />
        <beans:property name="classIdentityQuery"
                        value="SELECT max(id) FROM acl_class" />
        <!--
        <beans:property name="sidIdentityQuery"
            value="select currval(pg_get_serial_sequence('acl_sid', 'id'))" />
        <beans:property name="classIdentityQuery"
            value="select currval(pg_get_serial_sequence('acl_class', 'id'))" />
        -->
    </beans:bean>

    <beans:bean id="consoleAuditLogger" class="org.springframework.security.acls.domain.ConsoleAuditLogger"/>

    <beans:bean id="lookupStrategy"
                class="org.springframework.security.acls.jdbc.BasicLookupStrategy">
        <beans:constructor-arg ref="dataSource" />
        <beans:constructor-arg ref="aclCache" />
        <beans:constructor-arg ref="aclAuthorizationStrategy" />
        <beans:constructor-arg ref="consoleAuditLogger"/>
    </beans:bean>

    <beans:bean id="aclAuthorizationStrategy"
            class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
        <beans:constructor-arg>
            <beans:list>
                <beans:bean
                        class="org.springframework.security.core.authority.SimpleGrantedAuthority">
                    <beans:constructor-arg value="ROLE_ADMIN" />
                </beans:bean>
                <beans:bean
                        class="org.springframework.security.core.authority.SimpleGrantedAuthority">
                    <beans:constructor-arg value="ROLE_ADMIN" />
                </beans:bean>
                <beans:bean
                        class="org.springframework.security.core.authority.SimpleGrantedAuthority">
                    <beans:constructor-arg value="ROLE_ADMIN" />
                </beans:bean>
            </beans:list>
        </beans:constructor-arg>
    </beans:bean>

    <beans:bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
        <beans:constructor-arg ref="consoleAuditLogger"/>
    </beans:bean>


    <beans:bean id="aclCache"
                class="org.springframework.security.acls.domain.EhCacheBasedAclCache">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
                <beans:property name="cacheManager">
                    <beans:bean
                            class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
                </beans:property>
                <beans:property name="cacheName" value="aclCache" />
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg ref="permissionGrantingStrategy" />
        <beans:constructor-arg ref="aclAuthorizationStrategy" />
    </beans:bean>


</beans:beans>

Last but not least here's my web.xml

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
         http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <!-- Log4j configuration loading -->
    <listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>/WEB-INF/classes/log4j.xml</param-value>
    </context-param>
    <!-- Bootstrapping context loading -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/gravytrack-servlet.xml
            /WEB-INF/gravytrack-services.xml
            /WEB-INF/gravytrack-security.xml
           </param-value>
    </context-param>
    <context-param>
        <param-name>webAppRootKey</param-name>
        <param-value>gravytrack.root</param-value>
    </context-param>

    <!-- session management listener -->
    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>
    <session-config>
        <!-- session times out if no activities for 30 minutes -->
        <session-timeout>30</session-timeout>
    </session-config>


    <!-- defining the DispatcherServlet -->
    <servlet>
        <servlet-name>gravytrack</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>gravytrack</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>gravytrack</servlet-name>
        <url-pattern>*.htm</url-pattern>
    </servlet-mapping>
    <!--<servlet-mapping>-->
        <!--<servlet-name>gravytrack</servlet-name>-->
        <!--<url-pattern>*.html</url-pattern>-->
    <!--</servlet-mapping>-->

    <!-- Security entry point -->
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- webflow -->
    <!--
<servlet-mapping>
        <servlet-name>soba</servlet-name>
        <url-pattern>/flow/*</url-pattern>
    </servlet-mapping>
 -->
<!-- defining the DefaultServlet -->
<servlet>
        <servlet-name>DefaultServlet</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <load-on-startup>2</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>DefaultServlet</servlet-name>
        <url-pattern>*.jpg</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>DefaultServlet</servlet-name>
        <url-pattern>*.html</url-pattern>
    </servlet-mapping>
    <error-page>
        <error-code>404</error-code>
        <location>/WEB-INF/jsp/notfound.jsp</location>
    </error-page>
    <welcome-file-list>
        <welcome-file>
      login.jsp
    </welcome-file>
    </welcome-file-list>
    <!-- Spring jsp tag lib -->
    <jsp-config>
        <taglib>
            <taglib-uri>/spring</taglib-uri>
            <taglib-location>/WEB-INF/tld/spring-form.tld</taglib-location>
        </taglib>
    </jsp-config>

</web-app>

I'm having a hard time trying to figure out what's wrong so any help is greatly appreciated.


回答1:


By default Spring security enables CSRF and every POST request as it expects a csrf token. Check the Spring CSRF documentation..

You can switchoff CSRF like this in your config to test already if it's the problem

<http auto-config="false">
        <csrf disabled="true"/> 

if you dont want to switchoff CSRF, you must POST the csrf tokens like this

<c:url var="logoutUrl" value="/logout"/>
<form action="${logoutUrl}" method="post">
  <input type="submit" value="Log out" />
  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>


来源:https://stackoverflow.com/questions/32335602/spring-security-error-forbidden-response-from-rest-endpoint

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!