Reference Links: https://segmentfault.com/q/1010000012743613
There are two controller, a @RequestMapping is accessible to all users ( "user"),
there is a @RequestMapping administrator can access ( "admin").
/ user / login is the login url UserController in.
All operations (except Logout) can be carried out after login.
Springboot now want to use in conjunction with spring security to achieve rights management.
The system is an isolated front and rear ends, the Controller returns the data, does not return a page, WebMvcConfig there is no configuration.
But / user / login, post how not pass. It reported 403 errors.
This is the error message
This is WebSecurityConfig
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean UserDetailsService customUserService() { //注册UserDetailsService 的bean return new CustomUserService(); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/**").access("hasRole('ROLE_USER')") .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .anyRequest().authenticated().and() // access after login // .rememberMe().tokenValiditySeconds(60 * 60 * 24 * 7).key("").and() .formLogin().loginProcessingUrl("user/login").permitAll().and() .logout().permitAll(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(customUserService()); } }
This is CustomUserService
@Service public class CustomUserService implements UserDetailsService { @Autowired private UserService userService; @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException { System.out.println("loadUser " + s); User user = userService.getUserByUsername(s); if (user == null || user.getIsDel() == 1) { throw new UsernameNotFoundException("user not exist"); } List<The GrantedAuthority> = the auths new new the ArrayList <> (); for (Role Role: user.getRoles ()) { auths.add ( new new SimpleGrantedAuthority (role.getName ())); // different users may return different role.name : users with the ROLE_USER, ROLE_ADMIN } return new new org.springframework.security.core.userdetails.User (S, user.getPwd (), the auths); } }
Finally, even though I am nothing in WebSecurity configuration, the default should be it is not authenticated session.
Still can not.
protected void configure(HttpSecurity http) throws Exception { }
Problem Cause and Solution:
Look error, probably because you opened a CSRF protection, close it, in configure(HttpSecurity http)an additional methodhttp.csrf().disable();
