Spring Security-所有JQuery Ajax发布请求都返回404
问题内容:
我所有的$.ajax,都POST和GET都工作正常,但只要我整合Spring security 3.2.6到我的项目的POSTAjax请求停止,而洛任何问题的工作。
spring-security.xml
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!--Permit all Web resources to bypass proxy-->
<http pattern="/js/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/fonts/**" security="none"/>
<http pattern="/images/**" security="none"/>
<http auto-config="true" use-expressions="true" >
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/workflow**" access="hasRole('ROLE_WORKFLOW_ADMIN')"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WORKFLOW_ADMIN','ROLE_DMS_ADMIN')"/>
<access-denied-handler error-page="/403"/>
<form-login
login-page="/login"
default-target-url="/dashboard"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>
<logout invalidate-session="true" logout-success-url="/login?logout"/>
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider ref="daoAuthenticationProvider"/>
</authentication-manager>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="authService"/>
</beans:bean>
</beans:beans>
Web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error</location>
</error-page>
</web-app>
编辑
我尝试访问的URL是
弹簧安全性可以解决问题吗?
问题答案:
最终,经过三天的苦苦挣扎,我发现了问题所在,但孩子真傻。
问题是我已启用csrfSpring Security中的保护。这导致我的发帖请求被禁止,从而触发了access-denied- handler错误页面,因为我没有如下图所示将我映射access-denied-handler到"/403"错误页面,所以我http 403/401被http 404
<access-denied-handler error-page="/403"/>
简而言之
- 将
access-denied-handler错误页面映射到有效网址 - 如果您使用csrf保护,请务必确保您在ajax发布请求中将它们传递为此类
$ .ajax({method:’POST’,url:’/ ajax’,data:{“ $ { csrf.parameterName}”:“ $ {
csrf.token}”}}));
