当前位置: 首页 > 知识库问答 >
问题:

Spring Security请求仅接受内容类型x-www-form-urlencoded的请求

陶树
2023-03-14

这是我第一次决定用完整的Java代码配置编写基于Spring Boot和Spring Security性的应用程序,我遇到了无法超越的奇怪问题。我正在尝试用Postman测试API,我的请求只有在使用内容类型为application/x-www-form-urlencoded时才被接受。下面我粘贴我的所有当前配置。

@SpringBootApplication
public class OpenIdApplication {
    public static void main(String[] args) {
        SpringApplication.run(OpenIdApplication.class, args);
    }
}

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private UserService userService;

    @Autowired
    public SecurityConfig(UserService userService) {
        this.userService = userService;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(11);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/register/**").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
            .and()
                .cors()
            .and()
                .csrf()
                    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }

}

@RestController
public class UserController {
    ...    

    @PostMapping(value = "/register")
    public ResponseEntity<Object> registerUser(
            @RequestBody UserRegistrationDto newUser, BindingResult bindingResult) {
       ...
    }

@Data
@Builder
@NoArgsConstructor
@AllArgsConstructor
public class UserRegistrationDto {
    private String username;
    private String firstName;
    private String lastName;
    private String email;
    private String password;
    private String passwordRepeat;
}

如果我想登录,我只能使用提到的内容类型。对于应用程序/json,我得到403响应状态。对于 /registrationendpoint,如果我从方法参数中删除@刚体,那么它可以很好地处理应用程序/x-www-form-urlencoded请求,但是如果我保留它,那么对于这种内容类型,我得到415,但是如果我尝试应用程序/json,那么我看到403。我还尝试在这个endpoint上方添加@Preautorize(“permitAll()”)注释,在Spring Security配置中添加http pBasic(),这导致响应状态从403更改为401。

我尝试过将2个不同的JSON发送到该endpoint:

{
    "username":"test", 
    "firstName":"Test", 
    "lastName":"Test", 
    "email":"test@test.com",
    "password":"test",
    "passwordRepeat":"test",
    "_csrf":"8b7d4680-5be4-482a-9138-b4eb92a358c1"
}

{
    "newUser": {
        "username":"test", 
        "firstName":"Test", 
        "lastName":"Test", 
        "email":"test@test.com",
        "password":"test",
        "passwordRepeat":"test"
    },
    "_csrf":"8b7d4680-5be4-482a-9138-b4eb92a358c1"
}

当然,每次我都要确保_csrf与从我的API返回的相匹配。

我正在使用Spring Boot 2.0.1。发布和Spring安全5.0.3。释放。

共有1个答案

梅飞龙
2023-03-14

我非常确定,当您发布到/register时,Ant模式“/register/**”匹配所有以/register/开头的URL(请参见此处的示例)(末尾没有斜杠)。你应该试试

.antMatchers("/register*").permitAll()

或者

.mvcMatchers(HttpMethod.POST, "/register").permitAll()

第一个匹配以/register开头的任何URL,而第二个匹配您的@PostMapping

 类似资料: