英文:
Spring security 5.2: permitAll() in authorizeRequests() does not work for POST
问题
我已翻译您提供的内容:
我已经获得了 RestController
@RestController
public class HelloController {
@GetMapping("/no-restriction/action")
public String action() {
return "hello";
}
@PostMapping("/no-restriction/action")
public String action(@RequestBody String message) {
return String.format("You posted '%s'.", message);
}
}
以及配置
@Bean
public OpaqueTokenIntrospector opaqueTokenIntrospector() {
return token -> null;// TODO
}
@EnableWebSecurity
protected static class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/no-restriction/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
}
}
HTTP 请求 GET /no-restriction/action(没有任何授权标头)返回 200 OK 和文本 hello。但是 POST /no-restriction/action 与任何请求主体不起作用,它会返回 401 Unauthorized。为什么 POST 不起作用?
英文:
I have got the RestController
@RestController
public class HelloController {
@GetMapping("/no-restriction/action")
public String action() {
return "hello";
}
@PostMapping("/no-restriction/action")
public String action(@RequestBody String message) {
return String.format("You posted '%s'.", message);
}
}
and the configuration
@Bean
public OpaqueTokenIntrospector opaqueTokenIntrospector() {
return token -> null;// TODO
}
@EnableWebSecurity
protected static class OAuth2ResourceServerSecurityConfiguration
extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(authorizeRequests ->
authorizeRequests
.antMatchers("/no-restriction/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(OAuth2ResourceServerConfigurer::opaqueToken);
}
}
The HTTP request GET /no-restriction/action (without any authorization header) returns 200 OK and the text hello. But POST /no-restriction/action with any request body does not work, it will return 401 Unauthorized. Why does the POST not work?
答案1
得分: 3
您可能在您的POST请求中缺少了CSRF令牌。
Spring Security默认启用CSRF保护。
但您可以通过以下方式禁用它:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
...;
或者
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.disable())
...;
英文:
You probably missing a CSRF-token in your post-request.
CSRF protection is enabled by default by Spring security.
But you can disable this by:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
...;
or
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.disable())
...;
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论