Spring Security - j_spring_security_check - HTTP 状态 403

【问题标题】:Spring Security - j_spring_security_check - HTTP status 403Spring Security - j_spring_security_check - HTTP 状态 403
【发布时间】:2018-10-04 13:17:31
【问题描述】:

我是 Spring Security 的新人。 如果我按登录,则站点:http://localhost:8080/j_spring_security_check

一起出现 
HTTP Status 403 – Forbidden
Type Status Report

Message Forbidden

Description The server understood the request but refuses to authorize it.

Apache Tomcat/9.0.12

这里是 web.xml

<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/webcontext/security-context.xml
        </param-value>
    </context-param>
    <listener>
        <listener-class>
            org.springframework.web.context.ContextLoaderListener
        </listener-class>
    </listener>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>DefaultServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring/webcontext/DispatcherServlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>DefaultServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>
</web-app>

login.jsp

这里:&lt;form action="&lt;c:url value="/j_spring_security_check"&gt;&lt;/c:url&gt;" method="post"&gt; - /j_spring_security_check 标记为红色,错误为:Cannot resolve controller URL '/j_spring_security_check'

<%@page pageEncoding="UTF-8" contentType="text/html; charset=UTF-8" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.0/css/bootstrap.min.css">
    <title>Produkty</title>
</head>
<body>
<section>
    <div class="jumbotron">
        <div class="container">
            <h1>Produkty</h1>
            <p>Dodaj produkty</p>
        </div>
    </div>
</section>
<div class="container">
    <div class="row">
        <div class="col-md-4 col-md-offset-4">
            <div class="panel panel-default">
                <div class="panel-heading">
                    <h3 class="panel-title">Zaloguj się</h3>
                </div>
                <div class="panel-body">
                    <c:if test="${not empty error}">
                    <div class="alert alert-danger">
                        <spring:message code="AbstractUserDetailsAuthenticationProvider.badCredentials"/><br/>
                    </div>
                    </c:if>
                    <form action="<c:url value="/j_spring_security_check"></c:url>" method="post">
                        <fieldset>
                            <div class="form-group">
                                <input class="form-control" placeholder="Nazwa użytkownika" name='j_username' type="text">
                            </div>
                            <div class="form-group">
                                <input class="form-control" placeholder="Hasło" name='j_password' type="password" value="">
                            </div>
                            <input class="btn btn-lg btn-success btn-block" type="submit" value="Zaloguj się">
                        </fieldset>
                    </form>
                </div>
            </div>
        </div>
    </div>
</div>
</body>
</html>

security-context.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
 http://www.springframework.org/schema/security
 http://www.springframework.org/schema/security/spring-security-4.2.xsd
 http://www.springframework.org/schema/beans
 http://www.springframework.org/schema/beans/spring-beans.xsd
 http://www.springframework.org/schema/context
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd">
    <security:http auto-config="true">
        <security:intercept-url pattern="/products/add" access="hasRole('ROLE_ADMIN')"/>
        <security:form-login login-page="/login" default-target-url="/products/add"
                             authentication-failure-url="/loginfailed"/>
        <security:logout logout-success-url="/logout"/>
    </security:http>
    <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="Admin" password="Admin123" authorities="ROLE_ADMIN"/>
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

我应该添加什么来使它正确?

【问题讨论】:

标签: java spring spring-mvc spring-security


【解决方案1】:

检查 csrf 令牌

如果你使用带有post url的表单标签,你应该使用token参数发送

<form>
  <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
</form>


@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
http
    .csrf().disable()

安全配置中应该允许url

@Configuration
@EnableWebSecurity
@EnableOAuth2Sso
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers(HttpMethod.POST, "/j_spring_security_check").permitAll()

【讨论】:

  • 我应该在哪里放置表单标签?在security-context.xml?
  • in
    " method="post"> 标签
【解决方案2】:

因为request不包含csrftoken,由于spring security自动开启,csrftoken必须随request一起发送。简单地禁用它不是一个好主意,这会使整个应用程序完全打开。

在表单中添加以下隐藏输入,

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

如果您想禁用csrf 支持,请在security-context.xml 中使用它。 (春季 4+)

<http>
    <csrf disabled="true"/>
</http>

【讨论】:

  • 哪个更好?
  • @pipilam 我会使用 csrf 令牌,但这取决于
  • @pipilam 你需要把这个&lt;input&gt;粘贴到html中&lt;form&gt;
  • 现在我遇到了另一个错误,即No mapping found for HTTP request with URI [/j_spring_security_check] in DispatcherServlet with name 'DefaultServlet'。一切都应该正常...
  • @pipilam 尝试 /login 代替
猜你喜欢
  • 2013-10-14
  • 2020-01-25
  • 2013-05-03
  • 2013-03-10
  • 2015-06-15
  • 2015-07-10
  • 2015-02-12
  • 2014-01-09
  • 2011-11-26
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode