我有一个 Vaadin 应用程序,我正在尝试将其从 Vaadin 14 升级到 24,这会带来从 Spring Security 5/Spring Boot 2 到 Spring Security 6 和 Spring boot 3 的升级。
我的路由有问题,该路由具有 @AnonymousAllowed 注释,并且它接受包含 JSON 结构的 x-www-urlencoded 参数。
我添加了 CommonsRequestLoggingFilter 将请求转储到日志文件,我可以看到它正在到达应用程序。
参数到达应用程序,记录器记录有效负载 = payRequest = JSON 结构。一切看起来都不错。
日志中的下一行说
FilterChainProxy.doFilterInternal - Securing GET /?v-r=init&location=payments-list%2Fexternal-api&query=
而且参数(payRequest)好像消失了。当请求正确路由到 Vaadin 视图时,请求中没有参数。看起来已经转换为不带参数的 GET 了。
我正在到达应用程序中的正确位置,但我似乎在途中丢失了 POST 请求中的参数。
如果有人对可能发生的事情有任何建议,我们将不胜感激。 所有这些在 Vaadin 14 中都完美运行。
27-11:58:47.616 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.f.CommonsRequestLoggingFilter.beforeRequest - Before request [POST /wbcarpv24sb-2.0.0/payments-list/external-api, client=x.x.x.x]
27-11:58:47.616 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.s.DispatcherServlet.traceDebug - POST "/wbcarpv24sb-2.0.0/payments-list/external-api", parameters={masked}
27-11:58:47.617 [https-jsse-nio-8443-exec-24] DEBUG c.v.f.s.VaadinServletConfiguration$RootExcludeHandler.getHandler - Mapped to org.springframework.web.servlet.mvc.ServletForwardingController@2a4e714f
27-11:58:47.637 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.s.DispatcherServlet.logResult - Completed 200 OK
27-11:58:47.637 [https-jsse-nio-8443-exec-24] DEBUG o.s.w.f.CommonsRequestLoggingFilter.afterRequest - After request [POST /wbcarpv24sb-2.0.0/payments-list/external-api, client=192.x.x.x, session=FFBDDCFBFE7D5EDD3AE3EBECC9654604, payload=payRequest=%7B%22sid%22%3A%22000000%22%2C%22bu%22%3A%22MKCC%22%2C%22agentId%22%3A%22TestAgent%22%2C%22rurl%22%3A%22digest%22%3A%2266b09ea9e4bc8279a752db5b089e457f3a68a9ae50f776b38a6d842d314b4d4016bc83d734888c1318b9170aa061bbbd70654a1c67c9c42d47ad2a8d5f7f9940%22%7D]
27-11:58:47.703 [https-jsse-nio-8443-exec-27] DEBUG o.s.s.w.FilterChainProxy.doFilterInternal - Securing GET /?v-r=init&location=payments-list%2Fexternal-api&query=
........
c.S.a.u.c.u.v.x.l.MainLayout.afterNavigation - MainLayout - afterNavigation()payments-list/external-api
27-11:58:47.821 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - In Set Parameter method of payment list
27-11:58:47.821 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Context Path/wbcarpv24sb-2.0.0
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Heartbeat = 300
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Production Mode = true
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Close Idle Sessions = false
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Original Location = payments-list/external-api
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - queryParameters is NOT null ....
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - Query String =
27-11:58:47.822 [https-jsse-nio-8443-exec-28] INFO c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - parametersMap is NOT null .... 0
27-11:58:47.822 [https-jsse-nio-8443-exec-28] WARN c.S.a.u.c.u.v.x.e.ExApiPaymentsList.afterNavigation - payRequest IS null
今天早些时候我的 Spring Boot 应用程序也遇到了类似的问题,结果发现 Spring CSRF 保护可能会导致 POST 请求出现问题。你需要禁用
HttpSecurity.csrf(Customizer)
pattern
SecurityFilterChain
文件中 SecurityConfig.java
的示例代码:
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(httpSecurityCsrfConfigurer -> httpSecurityCsrfConfigurer.disable())
.authorizeHttpRequests(auth -> {
auth.requestMatchers("/").permitAll();
auth.requestMatchers("/your_endpoint1").permitAll();
auth.requestMatchers("/your_endpoint2").permitAll();
auth.anyRequest().authenticated();
}
)
.httpBasic(withDefaults())
.build();
}