spring-mvc - Spring security,错误 405,保护当前 post 方法
问题描述
我使用带有角色的 spring 安全性来保护当前页面或操作与我的应用程序自己的地址。使用拒绝访问页面,当用户尝试获取不允许的页面时,我可以捕获错误 403 页面(访问被拒绝),但是当我保护当前操作时,如下所示:
<form th:action="'/blog/'+${el.id}+'/remove'" method="post">
<button class = "btn btn-warning" type="submit">Delete</button>
</form>
使用电流控制器的方法:
@PostMapping("/blog/{id}/remove")
public String blogPostRemove(@PathVariable(value = "id") long postId, Model model) {
Post post = postRepository.findById(postId).orElseThrow();
postRepository.delete(post);
return "redirect:/blog";
}
当具有不允许角色的用户尝试执行操作时,他将获得错误 405 的页面: 出现意外错误(类型=不允许方法,状态=405)。不支持请求方法“POST”。具有允许角色的用户没有任何问题。有一个 WebSecurityConfig 代码:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/unpublished","/blog/*/remove","/blog/*/comments/*/remove")
.hasAuthority("ADMIN")
.antMatchers("/blog/*/edit","/blog/*/comment","/blog/add").authenticated()
.antMatchers("/","/registration","/login","/blog/*").permitAll()
.and().formLogin()
.loginPage("/login")
.and().exceptionHandling()
.accessDeniedPage("/access-denied");
http.csrf().disable();
}
}
如何使用 /access-denied 更改此页面?日志:
2020-07-13 11:26:58.094 DEBUG 42636 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : GET "/blog/28", parameters={}
2020-07-13 11:26:58.096 DEBUG 42636 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.example.springExample.controllers.BlogController#blogDetails(long, Model)
2020-07-13 11:26:58.364 DEBUG 42636 --- [nio-8080-exec-6] o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, application/xhtml+xml, image/webp, image/apng, application/xml;q=0.9, application/signed-exchange;v=b3;q=0.9, *//*;q=0.8]
2020-07-13 11:26:58.402 DEBUG 42636 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : Completed 200 OK
2020-07-13 11:27:04.814 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : "FORWARD" dispatch for POST "/access-denied", parameters={}
2020-07-13 11:27:04.816 WARN 42636 --- [nio-8080-exec-9] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported]
2020-07-13 11:27:04.817 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : Exiting from "FORWARD" dispatch, status 405
2020-07-13 11:27:04.818 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for POST "/error", parameters={}
2020-07-13 11:27:04.818 DEBUG 42636 --- [nio-8080-exec-9] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
2020-07-13 11:27:04.831 DEBUG 42636 --- [nio-8080-exec-9] o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, text/html;q=0.8]
2020-07-13 11:27:04.838 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 405
解决方案
我找到了问题 - 当用户尝试采取行动时,他会从表单发送 post 方法。当应用程序捕获拒绝访问错误时,它会尝试获取 /access-denied 页面,但由于操作类型,它将是 post 请求。解决方法是在当前控制器中添加/access-denied页面的PostMapping功能:
@GetMapping("/access-denied")
public String blockAccess(Model model) {
return "access-denied";
}
@PostMapping("/access-denied")
public String actionAccess(Model model) {
return "access-denied";
}
推荐阅读
- python - 使用 numpy genfromtxt python 后在源文件中找到跳过的行
- c# - 如何在 Json 字符串中转义 Json 字符串
- javascript - 脚本仅在页面刷新后才起作用?不在初始导航上?
- django - graphene.Node 和 graphene.relay.Node 有什么区别?
- c++ - 使用 const 和 non-const 进行参数传递
- reactjs - event.stopPropagation 似乎阻止了 useState 更新和渲染
- c++ - 返回对类数据成员的引用,然后尝试更改该成员
- python-3.x - 这些块是否符合 PEP8?
- jquery - 我想在此代码中的计数器之前添加一个美元符号货币符号
- java - 如何在 Spring Boot 2 中保护具有角色的执行器端点?