2015-03-01 4 views
2

Я получаю ошибку ниже, когда я пытаюсь внедрить Spring Security -HTTP Status 405 - метод запроса 'POST' не поддерживается - Spring Security

контроллер:

@Controller 
public class EmployeeController { 

    @RequestMapping(value = { "/", "/welcome**" }, method = RequestMethod.GET) 
    public ModelAndView defaultPage() { 

     ModelAndView model = new ModelAndView(); 
     model.addObject("title", "Spring Security + Hibernate Example"); 
     model.addObject("message", "This is default page!"); 
     model.setViewName("hello"); 
     return model; 
    } 

    @RequestMapping(value = "/admin**", method = RequestMethod.GET) 
    public ModelAndView adminPage() { 

     ModelAndView model = new ModelAndView(); 
     model.addObject("title", "Spring Security + Hibernate Example"); 
     model.addObject("message", "This page is for ROLE_ADMIN only!"); 
     model.setViewName("admin"); 

     return model; 
    } 

    @RequestMapping(value = "/login", method = RequestMethod.GET) 
    public ModelAndView login(
      @RequestParam(value = "error", required = false) String error, 
      @RequestParam(value = "logout", required = false) String logout, 
      HttpServletRequest request) { 

     ModelAndView model = new ModelAndView(); 
     if (error != null) { 
      model.addObject("error", 
        getErrorMessage(request, "SPRING_SECURITY_LAST_EXCEPTION")); 
     } 

     if (logout != null) { 
      model.addObject("msg", "You've been logged out successfully."); 
     } 
     model.setViewName("login"); 

     return model; 
    } 

    // customize the error message 
    private String getErrorMessage(HttpServletRequest request, String key) { 

     Exception exception = (Exception) request.getSession() 
       .getAttribute(key); 

     String error = ""; 
     if (exception instanceof BadCredentialsException) { 
      error = "Invalid username and password!"; 
     } else if (exception instanceof LockedException) { 
      error = exception.getMessage(); 
     } else { 
      error = "Invalid username and password!"; 
     } 
     return error; 
    } 

    // for 403 access denied page 
    @RequestMapping(value = "/403", method = RequestMethod.GET) 
    public ModelAndView accesssDenied() { 

     ModelAndView model = new ModelAndView(); 

     // check if user is login 
     Authentication auth = SecurityContextHolder.getContext() 
       .getAuthentication(); 
     if (!(auth instanceof AnonymousAuthenticationToken)) { 
      UserDetails userDetail = (UserDetails) auth.getPrincipal(); 
      System.out.println(userDetail); 

      model.addObject("username", userDetail.getUsername()); 
     } 

     model.setViewName("403"); 
     return model; 
    } 
} 

web.xml

<!DOCTYPE web-app PUBLIC 
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" 
"http://java.sun.com/dtd/web-app_2_3.dtd" > 

<web-app> 
    <display-name>Archetype Created Web Application</display-name> 
    <servlet> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <servlet-class> 
      org.springframework.web.servlet.DispatcherServlet 
     </servlet-class> 
     <load-on-startup>1</load-on-startup> 
    </servlet> 

    <servlet-mapping> 
     <servlet-name>mvc-dispatcher</servlet-name> 
     <url-pattern>/</url-pattern> 
    </servlet-mapping> 

    <listener> 
     <listener-class> 
      org.springframework.web.context.ContextLoaderListener 
     </listener-class> 
    </listener> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
     <param-value> 
      /WEB-INF/mvc-dispatcher-servlet.xml, 
      /WEB-INF/spring-security.xml 
     </param-value> 
    </context-param> 
    <!-- /WEB-INF/spring-security.xml --> 

    <!-- Spring Security --> 
    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 
</web-app> 

весна-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
    http://www.springframework.org/schema/security 
    http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

    <!-- enable use-expressions --> 
    <http auto-config="true" use-expressions="true"> 
     <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" /> 

     <!-- access denied page --> 
     <access-denied-handler error-page="/403" /> 
     <form-login 
      login-page="/login" 
      default-target-url="/welcome" 
      authentication-failure-url="/login?error" 
      username-parameter="username" 
      password-parameter="password" /> 
     <logout logout-success-url="/login?logout" /> 
     <!-- enable csrf protection --> 
     <csrf /> 
    </http> 

    <authentication-manager> 
     <authentication-provider user-service-ref="myUserDetailsService" > 
      <password-encoder hash="bcrypt" />  
     </authentication-provider> 
    </authentication-manager> 

</beans:beans> 

login.jsp

<body onload='document.loginForm.username.focus();'> 

    <h1>Spring Security Login Form (Database + Hibernate Authentication)</h1> 

    <div id="login-box"> 

     <h3>Login with Username and Password</h3> 

     <c:if test="${not empty error}"> 
      <div class="error">${error}</div> 
     </c:if> 
     <c:if test="${not empty msg}"> 
      <div class="msg">${msg}</div> 
     </c:if> 

     <form name='loginForm' 
      action="<c:url value='/j_spring_security_check' />" method='POST'> 

      <table> 
       <tr> 
        <td>User:</td> 
        <td><input type='text' name='username'></td> 
       </tr> 
       <tr> 
        <td>Password:</td> 
        <td><input type='password' name='password' /></td> 
       </tr> 
       <tr> 
        <td colspan='2'><input name="submit" type="submit" 
         value="submit" /></td> 
       </tr> 
      </table> 

      <input type="hidden" name="${_csrf.parameterName}" 
       value="${_csrf.token}" /> 

     </form> 
    </div> 

</body> 

Ошибка: -

http://localhost:8080/EmployeeManagement/j_spring_security_check

09:01:22.135 [http-8080-4] DEBUG o.s.s.web.DefaultRedirectStrategy - Redirecting to ' http://localhost:8080/EmployeeManagement/login;jsessionid=E27C22793BAA2C7FC38039260EC08152 ' 09:01:22.135 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 09:01:22.136 [http-8080-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 09:01:22.145 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 09:01:22.145 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 09:01:22.145 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: [email protected] A new one will be created. 09:01:22.145 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 2 of 11 in additional filter chain; firing Filter: 'CsrfFilter' 09:01:22.146 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 09:01:22.146 [http-8080-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login' doesn't match 'POST /j_spring_security_logout 09:01:22.146 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' 09:01:22.146 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' 09:01:22.146 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 09:01:22.146 [http-8080-4] DEBUG o.s.s.w.s.DefaultSavedRequest - pathInfo: both null (property equals) 09:01:22.147 [http-8080-4] DEBUG o.s.s.w.s.DefaultSavedRequest - queryString: both null (property equals) 09:01:22.147 [http-8080-4] DEBUG o.s.s.w.s.DefaultSavedRequest - requestURI: arg1=/EmployeeManagement/admin; arg2=/EmployeeManagement/login;jsessionid=E27C22793BAA2C7FC38039260EC08152 (property not equals) 09:01:22.147 [http-8080-4] DEBUG o.s.s.w.s.HttpSessionRequestCache - saved request doesn't match 09:01:22.147 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 09:01:22.147 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 09:01:22.147 [http-8080-4] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.sprin[email protected]6fa90ed4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffc7f0c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E27C22793BAA2C7FC38039260EC08152; Granted Authorities: ROLE_ANONYMOUS' 09:01:22.147 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 09:01:22.148 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 09:01:22.148 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 09:01:22.148 [http-8080-4] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login'; against '/admin**' 09:01:22.148 [http-8080-4] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Public object - authentication not attempted 09:01:22.148 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /login reached end of additional filter chain; proceeding with original chain 09:01:22.148 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'mvc-dispatcher' processing GET request for [/EmployeeManagement/login] 09:01:22.149 [http-8080-4] DEBUG o.s.w.s.m.a.DefaultAnnotationHandlerMapping - Mapping [/login] to HandlerExecutionChain with handler [[email protected]] and 1 interceptor 09:01:22.150 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - Last-Modified value for [/EmployeeManagement/login] is: -1 09:01:22.189 [http-8080-4] DEBUG o.s.w.b.a.s.HandlerMethodInvoker - Invoking request handler method: public org.springframework.web.servlet.ModelAndView com.employeemgmt.controller.EmployeeController.login(java.lang.String,java.lang.String,javax.servlet.http.HttpServletRequest) 09:01:22.190 [http-8080-4] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Invoking afterPropertiesSet() on bean with name 'login' 09:01:22.190 [http-8080-4] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.transaction.config.internalTransactionAdvisor' 09:01:22.190 [http-8080-4] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor#0' 09:01:22.190 [http-8080-4] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.transaction.config.internalTransactionAdvisor' 09:01:22.190 [http-8080-4] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor#0' 09:01:22.190 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - Rendering view [org.springframework.web.servlet.view.JstlView: name 'login'; URL [/WEB-INF/pages/login.jsp]] in DispatcherServlet with name 'mvc-dispatcher' 09:01:22.190 [http-8080-4] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'requestDataValueProcessor' 09:01:22.190 [http-8080-4] DEBUG o.s.web.servlet.view.JstlView - Forwarding to resource [/WEB-INF/pages/login.jsp] in InternalResourceView 'login' 09:01:22.279 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 09:01:22.279 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request 09:01:22.279 [http-8080-4] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Chain processed normally 09:01:22.280 [http-8080-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed 09:01:23.967 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 09:01:23.967 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT 09:01:23.968 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: [email protected] A new one will be created. 09:01:23.968 [http-8080-4] DEBUG o.s.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 11 in additional filter chain; firing Filter: 'CsrfFilter' 09:01:23.969 [http-8080-4] DEBUG o.s.security.web.csrf.CsrfFilter - Invalid CSRF token found for http://localhost:8080/EmployeeManagement/j_spring_security_check 09:01:23.971 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - DispatcherServlet with name 'mvc-dispatcher' processing POST request for [/EmployeeManagement/403] 09:01:23.971 [http-8080-4] DEBUG o.s.w.s.m.a.DefaultAnnotationHandlerMapping - Mapping [/403] to HandlerExecutionChain with handler [[email protected]] and 1 interceptor 09:01:23.982 [http-8080-4] DEBUG o.s.w.s.m.a.AnnotationMethodHandlerExceptionResolver - Resolving exception from handler [[email protected]]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported 09:01:23.984 [http-8080-4] DEBUG o.s.w.s.m.a.ResponseStatusExceptionResolver - Resolving exception from handler [[email protected]]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported 09:01:23.984 [http-8080-4] DEBUG o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolving exception from handler [[email protected]]: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported 09:01:23.984 [http-8080-4] WARN o.s.web.servlet.PageNotFound - Request method 'POST' not supported 09:01:23.984 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 09:01:23.984 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - Null ModelAndView returned to DispatcherServlet with name 'mvc-dispatcher': assuming HandlerAdapter completed request handling 09:01:23.984 [http-8080-4] DEBUG o.s.web.servlet.DispatcherServlet - Successfully completed request 09:01:23.984 [http-8080-4] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. 09:01:23.984 [http-8080-4] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

+3

Эта проблема была решена. Значения токенов csrf не заменялись. Как только я добавил - <% @ page isELIgnored = "false"%>, он был решен – user1050619

+0

Вы могли бы разместить это в качестве ответа, пожалуйста. –

ответ

0

Ваши методы контроллера аннотируются RequestMethod.GET, тогда как метод login.jsp форма запроса POST. Оба должны быть POST.

0

Я добавляю ответ, найденный здесь OP.

The csrf token values did not get substituted. Once I added - <%@ page isELIgnored ="false" %>

Personnaly Я решил это, просто удалив csrf под весной. В наборе тегов http<csrf disabled="true"/>

0

Вы используете метод GET на /login картинах в вашем контроллере.

Using POST method for authentication is standard.

изменение @RequestMapping(value = "/login", method = RequestMethod.GET) в @RequestMapping(value = "/login", method = RequestMethod.POST)