有2个问题SecurityConfiguration.java
使其无法正常运行。
尽管该403 Forbidden
错误消息未包含任何指示其失败原因的消息(请参见下面的示例),但事实证明,这是由于启用了CSRF而导致的。禁用它允许POST
和DELETE
要求进行处理。
{
"timestamp": "2018-06-26T09:17:19.672+0000",
"status": 403,
"error": "Forbidden",
"message": "Forbidden",
"path": "/routeB"
}
另外,antMatched(HttpMethod, String)
forRouteB
中使用的表达式也是错误的,因为/routeB/*
期望它在after之后有 一些东西/
。正确的配置是/routeB/**
因为可以 存在( 或不 存在)更多路径。
该 SecurityConfiguration.java
IS
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().
authorizeRequests().antMatchers(HttpMethod.GET, "/**").hasAnyRole("ADMIN", "USER")
.antMatchers(HttpMethod.POST, "/routeA/**").hasAnyRole("ADMIN", "USER")
.antMatchers(HttpMethod.POST, "/routeB/**").hasRole("ADMIN")
.antMatchers(HttpMethod.DELETE, "/routeB/**").hasRole("ADMIN").and().
requestCache().requestCache(new NullRequestCache()).and().
httpBasic().authenticationEntryPoint(authenticationEntryPoint).and().
cors().and().
csrf().disable();
}