我有一个Rest Controller和两个端点。虽然我可以对GET端点进行基本身份验证,但不能对POST端点执行相同的身份验证。
由于某些原因POST端点返回401,请在下面查看GET和POST的curl执行。
可能是什么原因?有任何想法吗?正如您可以在底部检查“安全配置”一样,我没有GET / POST的特殊情况。
请尝试:
curl -v -u user:password -X GET http://localhost:8080/api/clusters/
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'user'
> GET /api/clusters/ HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Fri, 20 Dec 2019 12:50:44 GMT
<
* Connection #0 to host localhost left intact
[{"id":1,"name":"Alfa","securityProtocol":"PLAINTEXT","sslTruststorePassword":null,"sslKeystorePassword":null,"sslKeyPassword":null,"trustStore":null,"keyStore":null,"saslMechanism":"","saslJaasConfig":"","clientId":"Ali","requestTimeoutMs":30000,"version":0,"properties":[],"bootstrapServers":"kafka1:9093"}]* Closing connection 0
POST TRY:
kaan$ curl -v -u user:password -X POST http://localhost:8080/api/clusters/ -d {"name":"Beta"}
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Server auth using Basic with user 'user'
> POST /api/clusters/ HTTP/1.1
> Host: localhost:8080
> Authorization: Basic dXNlcjpwYXNzd29yZA==
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 11
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 11 out of 11 bytes
< HTTP/1.1 401
< Set-Cookie: JSESSIONID=022342C09075AC29AC703547FD5A0E45; Path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Realm"
< Content-Length: 0
< Date: Fri, 20 Dec 2019 12:51:38 GMT
<
* Connection #0 to host localhost left intact
* Closing connection 0
我的安全配置为:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
.authorizeRequests()
.antMatchers("/css/**", "/js/**", "/img/**", "/vendor/**", "/login").permitAll()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.formLogin()
.loginPage("/login.html")
.permitAll()
.and()
.logout()
.permitAll();
}
这解决了问题:
。csrf()。disable()