405方法不允许,spring引导,但我使用了csrf令牌头

ma8fv8wu  于 2021-07-07  发布在  Java
关注(0)|答案(1)|浏览(535)

我正在用springboot制作一个web应用服务器。在开发的早期,我使用了 http.csrf().disable() 而且网页运行良好。但自从禁用设置被删除后,错误只发生在主机地址页上。当我请求get时,它工作得非常好,但是,它不适用于post、put、delete。。。当我在本地主机上进行测试时,所有请求都可以工作,包括那些方法。
我已经使用了csrf令牌头、表单的隐藏csrf输入和 beforeSend 在ajax中设置csrf头。我甚至改变了nginx的设置( error_page 405 =200 $uri; ),但还是一样。这是我的环境。
jdk 11号
Spring2.3.5
aws ec2-亚马逊linux 2 ami
aws rds-postgresql 13
aws s3 nginx 1.18.0标准
渐变5.6.4
百里香
请问有人能帮我吗?
我的github存储库链接


# aws server- nohup.out

[ec2-user@teamcoder-webservice ~]$ vim ~/app/step3/nohup.out
2020-12-01 23:24:18.953  INFO 3697 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@3ad85136, org.springframework.security.web.context.SecurityContextPersistenceFilter@2bc426f0, org.springframework.security.web.header.HeaderWriterFilter@176f7f3b, org.springframework.security.web.csrf.CsrfFilter@7d3c09ec, org.springframework.security.web.authentication.logout.LogoutFilter@1f53481b, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@7f93dd4e, org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@5ad5be4a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@33425811, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4cb2918c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@737d100a, org.springframework.security.web.session.SessionManagementFilter@58740366, org.springframework.security.web.access.ExceptionTranslationFilter@4af45442, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@671c4166]
2020-12-01 23:24:20.068  INFO 3697 --- [           main] o.s.b.a.w.s.WelcomePageHandlerMapping    : Adding welcome page template: index
2020-12-01 23:24:20.550  INFO 3697 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8081 (http) with context path ''
2020-12-01 23:24:20.552  INFO 3697 --- [           main] DeferredRepositoryInitializationListener : Triggering deferred initialization of Spring Data repositories…
2020-12-01 23:24:21.474  INFO 3697 --- [           main] DeferredRepositoryInitializationListener : Spring Data repositories initialized!
2020-12-01 23:24:21.499  INFO 3697 --- [           main] s.a.ScheduledAnnotationBeanPostProcessor : No TaskScheduler/ScheduledExecutorService bean found for scheduled processing
2020-12-01 23:24:21.527  INFO 3697 --- [           main] c.j.team.teamcoder.TeamCoderApplication  : Started TeamCoderApplication in 17.806 seconds (JVM running for 19.458)
2020-12-01 23:24:23.438  INFO 3697 --- [nio-8081-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring DispatcherServlet 'dispatcherServlet'
2020-12-01 23:24:23.443  INFO 3697 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet        : Initializing Servlet 'dispatcherServlet'
2020-12-01 23:24:23.460  INFO 3697 --- [nio-8081-exec-1] o.s.web.servlet.DispatcherServlet        : Completed initialization in 17 ms
2020-12-02 03:05:22.223  WARN 3697 --- [nio-8081-exec-2] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported]

# /etc/nginx/nginx.conf

http {
...
 server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        include /etc/nginx/conf.d/service-url.inc;

        location / {
                limit_except GET POST PUT DELETE {
                        deny all;
                }
                proxy_pass $service_url;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
        }
        error_page 405  =200 $uri;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

# after change upper configuration

[ec2-user@teamcoder-webservice nginx]$ sudo /usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

另外,下面的代码是javaspring引导代码。

<!--ajax non-used request in "user_info.html"-->
<form th:action="@{'/api/v1/user/pic/' + ${user.id}}" method="post" enctype="multipart/form-data" name="pictureForm">
    <table>
        <tr><td><label th:for="picture">Profile Image</label></td>
            <td><input type="file" id="picture" name="picture" accept="image/png, image/jpeg" /></td></tr>
        <tr><td><img th:src="@{${user.picture}}" id="picture_img" alt="put your image"></td>
            <td><input type="button" name="Upload" value="Upload" onclick="submit_file_form(document.forms['pictureForm'].picture, 'pictureForm');" class="btn btn-info"/></td></tr>
    </table>
    <input type="hidden" name="pastPath" id="pastPath" th:value="${user.picture}"/>
    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />
</form>
//ajax used request in "user_info.html" -> "userInfo.js"

...

const csrfToken = $('#_csrf').attr('content');
const csrfHeader = $('#_csrf_header').attr('content');

var user_info = {

    init : function () {
        var _this = this;

        $('#btn-update').on('click', function () {
            _this.update();
        }); 

        $('#btn-delete').on('click', function () {
            _this.delete();
        });
    },
    update : function () {
        var data = {
            name: $('#name').val(),
            tags: commaToArray(convertTags($('#tags').val())),
            email: $('#email').val(),
            birth: $('#birth').val(),
            education: $('#education').val().toUpperCase(),
            location: $('#location').val()
        };

        var id = $('#id').val();

        $.ajax({
            type: 'PUT', 
            url: '/api/v1/user/'+id,
            dataType: 'json',
            contentType:'application/json; charset=utf-8',
            data: JSON.stringify(data),
            beforeSend: function (xhr){
                xhr.setRequestHeader(csrfHeader, csrfToken);
            }
        }).done(function() {
            alert('your information is modified');
            window.location.href = '/';
        }).fail(function (error) {
            alert(JSON.stringify(error));
        });
    },
...
<!-- in html header -->

<meta id="_csrf" th:name="${_csrf.parameterName}" th:content="${_csrf.token}"/>
<meta id="_csrf_header" name="_csrf_header" th:content="${_csrf.headerName}"/>
@RequiredArgsConstructor
@RestController
public class UserApiController {

    private  final UserService userService;
    private final RoleService roleService;

    @PutMapping("/api/v1/user/{id}")
    public Long update(@PathVariable String id,
                       @RequestBody UserUpdateRequestDto requestDto){

        roleService.reloadRolesForAuthenticatedUser(Role.USER.getKey());
        return userService.update(Long.valueOf(id), requestDto);
    }
}

@RequiredArgsConstructor
@RestController
public class FileController {

    private final UserService userService;]
    private final S3Service s3Service;

    @PostMapping("/api/v1/user/pic/{id}")
    public String updateUserPic(@PathVariable String id,
                                @RequestParam("pastPath") String pastPath,
                            @RequestPart("picture") MultipartFile multipartFile) throws IOException {

        String uploadDir = s3Service.upload(pastPath, multipartFile,"users/");
        userService.updatePic(Long.valueOf(id), uploadDir);

        return "You successfully uploaded " + uploadDir + "!";
    }
}
//SecurityConfig.java

@Configuration
@RequiredArgsConstructor
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final CustomOAuth2UserService customOAuth2UserService;

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/css/**", "/js/**", "/assets/img/**", "/lib/**", "/user-photos/**", "/group-files/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .and()
                .authorizeRequests()  
                .antMatchers("/", "/logoption","/user/denied", "/search/**", "/privacy/rule","/profile").permitAll()  
                .antMatchers("/api/v1/user/**", "/api/v1/**").hasRole("GUEST")
                .antMatchers("/api/v1/group/**", "/group/**", "/api/v1/participate/**").hasRole("USER") 
                .anyRequest().authenticated()   
            .and()
                .logout().logoutSuccessUrl("/")
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true)
            .and()
                .exceptionHandling()
                .accessDeniedPage("/user/denied")
            .and()
                .oauth2Login()
                    .loginPage("/logoption")
                    .defaultSuccessUrl("/")
                    .userInfoEndpoint()// after oauth2 login
                        .userService(customOAuth2UserService); 

    }

    //for Spring Security
    @Bean
    public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
    }
}
Javaspring-bootamazon-web-serviceshttp-status-code-405csrf

1条答案

按热度按时间
ivqmmu1c

ivqmmu1c1#

尝试将以下内容添加到securityconfig:

http.cors().and()....

和cors配置:

@Bean
public CorsFilter corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.addAllowedOrigin("*");  // TODO: lock down before deploying
    config.addAllowedHeader("*");
    config.addExposedHeader(HttpHeaders.AUTHORIZATION);
    config.addAllowedMethod("*");
    source.registerCorsConfiguration("/**", config);
    return new CorsFilter(source);
}
赞(0)分享  回复(0)举报  2021-07-07
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com