Spring Security：在 PUT/POST 请求中访问当前经过身份验证的用户

Question

我正在尝试使用 Spring 安全性使用 GET 方法进行身份验证，如下所示工作正常，POST 方法给出 null 值。 我正在使用 POST 请求。这是造成问题吗？有人可以帮忙解决这个问题吗？

获取方法

@RequestMapping(value = "/getuser", method = RequestMethod.GET)
@ResponseBody
public String getAuthenticatedUser(){
Authentication user =(Authentication)SecurityContextHolder.getContext()
    .getAuthentication();
String userName = user.getUser().getUsername();
return userName;
 }
}

发布方法

@RequestMapping(value = "/rest/getuser", method = RequestMethod.POST)
@ResponseBody
public String getAuthenticatedUser(){
Authentication user =(Authentication)SecurityContextHolder.getContext()
    .getAuthentication();
String userName = user.getUser().getUsername();
return userName;
 }
}

Spring-Security.xml

    <?xml version="1.0" encoding="UTF-8"?>
     <beans:beans xmlns="http://www.springframework.org/schema/security"
     xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security.xsd">
<!--HTTP Interceptors for authentication -->
<http pattern="/templates/**" security="none"></http>
<http pattern="/css/**" security="none"></http>
<http pattern="/js/**" security="none"></http>
<http pattern="/lib/**" security="none"></http>
<http pattern="/lib/css/**" security="none"></http>
<http pattern="/lib/js/**" security="none"></http>
<http pattern="/lib/fonts/**" security="none"></http>
<http pattern="/img/**" security="none"></http>
<http pattern="/rest/**" security="none"></http>
<http pattern="/oAuth" security="none"></http>
<http entry-point-ref="entryPoint"
    auto-config="true" use-expressions="true">
    <anonymous enabled="false"></anonymous>
    <custom-filter ref="oAuthFilter" after="SECURITY_CONTEXT_FILTER"></custom-filter>
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"></intercept-url>
</http>

<authentication-manager alias="upmAuthenticationManager"></authentication-manager>
<beans:bean id="entryPoint" class="auth.EntryPoint">
    <beans:constructor-arg value="/index.html"></beans:constructor-arg>
</beans:bean>

<beans:bean id="oAuthEnd" name="auth.oAuthEnd"
    class="oAuth.OAuthServlet">
    <beans:property name="oAuthFilter" ref="oAuthFilter"></beans:property>
</beans:bean>
<beans:bean id="oAuthFilter" class="auth.filter">
    <beans:property name="id"
        value=""></beans:property>
    <beans:property name="secret"
        value=""></beans:property>
    <beans:property name="url"
        value=""></beans:property>
</beans:bean>

Answer 1

请求方法与它无关。但是这一行：

<http pattern="/rest/**" security="none"></http>

它将禁用该路径的所有安全处理。

也许你打算：

<intercept-url pattern="/rest/**" access="permitAll"/>

Answer 2

请在您的 WebSecurityConfigurerAdapter 中禁用 CSRF。示例：

http.csrf().disable();

或者一个“真实”的例子：

@Configuration
@EnableGlobalMethodSecurity(
    securedEnabled = true,
    jsr250Enabled = true,
    prePostEnabled = true
)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        http.httpBasic().and().csrf().disable(); // <-- CSRF DISABLED


    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("user").password("{noop}password").roles("USER")
                .and()
                .withUser("admin").password("{noop}password").roles("ADMIN");
    }

}