我是 Spring Security 的新员工。如果我按登录,站点:http://localhost:8080/j_spring_security_check发生在HTTP Status 403 – ForbiddenType Status ReportMessage ForbiddenDescription The server understood the request but refuses to authorize it.Apache Tomcat/9.0.12这是web.xml<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring/webcontext/security-context.xml </param-value> </context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>DefaultServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/spring/webcontext/DispatcherServlet-context.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>DefaultServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping></web-app>
2 回答
喵喵时光机
TA贡献1846条经验 获得超7个赞
因为请求不包含csrf令牌,因为spring security会自动启用它,csrf令牌必须与请求一起发送。简单地禁用它不是一个好主意,这会使整个应用程序大开。
将以下隐藏输入添加到您的表单中,
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
如果要禁用csrf支持,请在security-context.xml. (春季 4+)
<http>
<csrf disabled="true"/>
</http>
添加回答
举报
0/150
提交
取消