How to enable POST, PUT AND DELETE methods in spri

2019-06-21 20:22发布

站内问答 / Java
779 1 5

I developed an application with spring boot, which was working fine. There is a restful controller. I tried to add spring security to some of the pages. The rest controller's endpoint is

/api/greetings

I configured the security settings in the class below.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home","/api/greetings").permitAll()
                //.antMatchers("/api/greetings","").permitAll()//can't do this
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }

Now, when I tried accessing the Rest endpoint, from a Rest-client(Postman), only the GET method is accessible and i am getting 403 Forbidden response if I try to POST, PUT or DELETE.

{
    "timestamp": 1467223888525,
    "status": 403,
    "error": "Forbidden",
    "message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.",
    "path": "/api/greetings/2"
}

How do i solve this issue. I am new to Spring Security things.

1条回答
男人必须洒脱
2楼-- · 2019-06-21 20:54

UPDATE Answer

If you're using Spring security 4, you can disable specific routes easily 

http.csrf().ignoringAntMatchers("/nocsrf","/ignore/startswith/**")

If not, you can enable/disable CSRF on specific routes using requireCsrfProtectionMatcher

http.csrf().requireCsrfProtectionMatcher(new RequestMatcher() {
    private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
    private RegexRequestMatcher apiMatcher = new RegexRequestMatcher("/v[0-9]*/.*", null);

    @Override
    public boolean matches(HttpServletRequest request) {
        // No CSRF due to allowedMethod
        if(allowedMethods.matcher(request.getMethod()).matches())
            return false;

        // No CSRF due to api call
        if(apiMatcher.matches(request))
            return false;

        // CSRF for everything else that is not an API call or an allowedMethod
        return true;
    }
});

ORIGINAL Answer

You got an error because CSRF handling is 'on' by default with Spring Security.

You can disabled it by adding http.csrf().disable();.

But really, would you leave your application unsecured? I invite you to read this article to protect your application against CSRF, even if your application is based on REST service and not form submission.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)