从1.5.7迁移到Spring Boot 2-不支持请求方法POST - csrf已禁用

Question

我们已经将我们的软件从spring boot 1.5.7迁移到了spring boot 2。我们通过在pom.xml中包含joinfaces-parent来使用JSF。

在启动时，一切都正常工作，但登录调用不起作用：

Request method 'POST' not supported

这可能是一个Spring安全问题？CSRF已被禁用。

这是我们的SecurityConfig文件：

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    ...
    @Override
    protected void configure(HttpSecurity http) {
        try {

            http.csrf().disable().authorizeRequests()
                    .antMatchers("/javax.faces.resource/**", Page.LOGIN.getUrlForSecurityContext())
                    .permitAll()
                    .and()

                    ........

                    // *** login configuration
                    .formLogin()
                    .loginPage(Page.LOGIN.getUrlForSecurityContext()).permitAll()
                    .failureUrl(Page.LOGIN.getUrlForSecurityContext() + "?error=true")
                    .usernameParameter("username")
                    .passwordParameter("password")
                    .successHandler(authenticationSuccessHandler)
                    .and()

             ...........

            // @formatter:on
        } catch (Exception ex) {
            throw new RuntimeException(ex);
        }
    }

    .......

}

登录请求不会到达我们的后端。我发现这个错误是由从xhtml调用的dispatcher.forward函数生成的。下面是函数：

public void login() throws ServletException, IOException {
    final ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();

    final RequestDispatcher dispatcher = ((ServletRequest) context.getRequest()).getRequestDispatcher("/login");

    dispatcher.forward((ServletRequest) context.getRequest(), (ServletResponse) context.getResponse());

    FacesContext.getCurrentInstance().responseComplete();
}

以下是错误消息发生时的更多日志：

[io.undertow.servlet] (default task-3) Initializing Spring FrameworkServlet 'dispatcherServlet'
16:02:20,926 INFO  [org.springframework.web.servlet.DispatcherServlet] (default task-3) FrameworkServlet 'dispatcherServlet': initialization started
16:02:20,938 INFO  [org.springframework.web.servlet.DispatcherServlet] (default task-3) FrameworkServlet 'dispatcherServlet': initialization completed in 12 ms
16:02:20,949 WARN  [org.springframework.web.servlet.PageNotFound] (default task-3) Request method 'POST' not supported
16:02:20,973 ERROR [org.springframework.boot.web.servlet.support.ErrorPageFilter] (default task-3) Cannot forward to error page for request [/login] as the response has already been committed. As a result, the response may have the wrong status code. If your application is running on WebSphere Application Server you may be able to resolve this problem by setting com.ibm.ws.webcontainer.invokeFlushAfterService to false

谢谢你的建议！

Answer 1

Spring Security configuration看起来很适合我。您的登录控制器有问题。我认为您的login方法是为了响应来自客户端的POST请求而调用的。然后，它尝试转发此帖子以呈现登录页面，最后抛出一个异常。显然它应该是GET request而不是POST。