我使用 Spring Security,我在页面上获得 ADMIN_ROLE 授权。我在此页面上有“锁定用户”按钮,当我按下该按钮时,请求会发送,并且出现 403 错误。页面从文件 style.css 加载样式。当启用样式时,我会收到错误,当我禁用样式时,我不会收到错误。谁能帮我解决一下?
Html 元
<meta charset="UTF-8">
<title>Users</title>
<link rel="stylesheet" type="text/css" href="/style.css">
带有补丁请求的表格
<form th:action="@{'/users/' + ${user.userId} + '?lock=1'}" method="post">
<input type="hidden" name="_method" value="patch">
<button class="page_button" type="submit">Lock user</button>
</form>
启用安全跟踪的服务器日志
2024-05-08T16:12:13.191+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Securing PATCH /users/a77246cc-3353-4480-936f-d2d6ef9a706d?lock=1
2024-05-08T16:12:13.192+04:00 DEBUG 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for https://localhost:8080/users/a77246cc-3353-4480-936f-d2d6ef9a706d?lock=1
2024-05-08T16:12:13.192+04:00 DEBUG 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.s.w.access.AccessDeniedHandlerImpl : Responding with 403 status code
2024-05-08T16:12:13.192+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=
2024-05-08T16:12:13.192+04:00 DEBUG 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Securing POST /error?lock=1
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=651448C2F40E52F1E955B65F3CF7ADBC], Granted Authorities=[ROLE_ANONYMOUS]]
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (13/16)
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Invoking JwtRequestFilter (14/16)
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Invoking JwtRefreshFilter (15/16)
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (16/16)
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@5168821]]
2024-05-08T16:12:13.193+04:00 TRACE 103408 --- [fin-man-api] [nio-8080-exec-9] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@5168821]] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$1886/0x0000022711c49800@7ea871b5
2024-05-08T16:12:13.193+04:00 DEBUG 103408 --- [fin-man-api] [nio-8080-exec-9] o.s.security.web.FilterChainProxy : Secured POST /error?lock=1
2024-05-08T16:12:13.203+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=
2024-05-08T16:12:13.204+04:00 DEBUG 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Securing GET /style.css
2024-05-08T16:12:13.204+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.s.w.a.www.BasicAuthenticationFilter : Found username '[email protected]' in Basic Authorization header
2024-05-08T16:12:13.204+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2024-05-08T16:12:13.204+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.s.authentication.ProviderManager : Authenticating request with DaoAuthenticationProvider (1/1)
Hibernate: select u1_0.id,u1_0.email,u1_0.account_is_locked,u1_0.account_is_enabled,u1_0.password,u1_0.user_id from users_table u1_0 where u1_0.email=?
Hibernate: select r1_0.id,r1_1.role_id,r1_1.role_name from role_user r1_0 join roles_table r1_1 on r1_1.role_id=r1_0.role_id where r1_0.id=?
2024-05-08T16:12:13.480+04:00 DEBUG 103408 --- [fin-man-api] [io-8080-exec-10] o.s.s.a.dao.DaoAuthenticationProvider : Authenticated user
2024-05-08T16:12:13.480+04:00 DEBUG 103408 --- [fin-man-api] [io-8080-exec-10] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from 651448C2F40E52F1E955B65F3CF7ADBC
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2)
2024-05-08T16:12:13.481+04:00 DEBUG 103408 --- [fin-man-api] [io-8080-exec-10] o.s.s.w.csrf.CsrfAuthenticationStrategy : Replaced CSRF Token
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (13/16)
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Invoking JwtRequestFilter (14/16)
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Invoking JwtRefreshFilter (15/16)
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (16/16)
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] estMatcherDelegatingAuthorizationManager : Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@2102ea33]
2024-05-08T16:12:13.481+04:00 TRACE 103408 --- [fin-man-api] [io-8080-exec-10] estMatcherDelegatingAuthorizationManager : Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@2102ea33] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$1886/0x0000022711c49800@7ea871bz
2024-05-08T16:12:13.481+04:00 DEBUG 103408 --- [fin-man-api] [io-8080-exec-10] o.s.security.web.FilterChainProxy : Secured GET /style.css
我尝试在
"/style.css"permitAll"/style.css"您应该使用通配符模式来拦截 URL。为样式、JavaScript 和图像创建单独的文件夹。然后像这样更新你的 https 安全服务
<http>
<intercept-url pattern="/css/**" access="permitAll" />
<intercept-url pattern="/js/**" access="permitAll" />
<intercept-url pattern="/img/**" access="permitAll" />