SpringBootAPI在put和delete请求上返回403禁止,但在post或get上不返回

2hh7jdfx  于 2021-07-23  发布在  Java
关注(0)|答案(0)|浏览(500)

当我在本地运行应用程序(angular front,spring boot back)时,所有方法都可以工作,包括put和delete。但一旦我在服务器上部署了put和delete,返回403 forbidden,而get和post工作就完美了。
我已经搜索了很多,很多答案指向csrf。我试过用不同的方式配置它,但是找不到问题。请注意,post确实有效,它也会通过我的定制csrf过滤器。
这是我当前的配置:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

    http.headers().frameOptions().sameOrigin().httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000);

    http.cors().and().csrf().disable();

    http.httpBasic().and().addFilterAfter(new CustomCsrfFilter(),CsrfFilter.class); 

    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {

        CorsConfiguration configuration = new CorsConfiguration ();
        configuration.setAllowedOrigins (Arrays.asList ("http://localhost:4200","https://intrauat.web.bc","https://intrait.web.bc","https://intra.web.bc"));
        configuration.setAllowedMethods (Arrays.asList ("GET", "POST", "PUT", "DELETE", "OPTIONS"));
        configuration.setAllowedHeaders (Arrays.asList ("Content-Type"));
        configuration.setAllowCredentials (true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource ();
        source.registerCorsConfiguration ("/**", configuration);
        return source;

    }

}
@Component
public class CustomCsrfFilter extends OncePerRequestFilter {

    public static final String CSRF_COOKIE_NAME = "XSRF-TOKEN";
    protected static final String RESPONSE_TOKEN_NAME = "X-CSRF-TOKEN";

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {

    boolean errorFound = false;

    String url = request.getRequestURL().toString();
    String methodType = request.getMethod();
    String origin =  request.getHeader("origin");   
    String referer = request.getHeader("referer");

    if(isNotNull(url) &&  url.contains("/scripts/jquery")){     
        response.sendError(403, "Access Denied");       
    }
    else{

    errorFound = subcrsfProcessing(request, response, errorFound, url, methodType, origin, referer);

    }

        if(errorFound){
            response.sendError(404, " Bad Request for csrf ");
        }
        else{
            filterChain.doFilter(request, response);
        }

    }

    private boolean subcrsfProcessing(HttpServletRequest request, HttpServletResponse response, boolean errorFound,
            String url, String methodType, String origin, String referer) {
        if(isNotNull(url) && isNotNull(methodType) && 
                (methodType.equalsIgnoreCase("POST")|| methodType.equalsIgnoreCase("PATCH")|| methodType.equalsIgnoreCase("DELETE") 
                        || methodType.equalsIgnoreCase("PUT"))){
                if (referer==null && origin == null && url.contains("/api/")) {
                    errorFound = true;
                } else {

                        String cookieFromAngular = request.getParameter("token");

                        Cookie cookie = new Cookie(CSRF_COOKIE_NAME, cookieFromAngular);
                        cookie.setSecure(true);
                        cookie.setPath("/");            
                        cookie.setHttpOnly(false);
                        response.addCookie(cookie);   
                        request.getSession().setAttribute(CSRF_COOKIE_NAME, cookieFromAngular);                 

                }
        }
        return errorFound;
    }

    private static boolean isNotNull(String str){
        return (null != str && !str.isEmpty());
    }

}

谢谢您!

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题