admin管理员组文章数量:1122832
`@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
private final AdminLoginDetailService adminLoginDetailService;
public SecurityConfiguration(final AdminLoginDetailService adminLoginDetailService) {
this.adminLoginDetailService = adminLoginDetailService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf
.ignoringRequestMatchers(
"/admin/**", "/admin/trading-accounts", "/admin/algoSignals", "/vaadinServlet/**", "/VAADIN/**", "/frontend/**", "/frontend-es5/**", "/frontend-es6/**") // Allow Vaadin endpoints
)
.authorizeRequests(auth -> auth
.requestMatchers(request -> HandlerHelper.isFrameworkInternalRequest("/*", request)).permitAll()
.requestMatchers("/admin/trading-accounts", "/admin/algoSignals").authenticated()
.requestMatchers("/vaadinServlet/**", "/VAADIN/**").permitAll()
.anyRequest().permitAll()
)
.formLogin(form -> form
.loginPage("/admin/login")
.defaultSuccessUrl("/admin/trading-accounts", true)
.failureUrl("/admin/login?error=true")
.permitAll()
);
setLoginView(http, LoginView.class);
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
return authConfig.getAuthenticationManager();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(
"/VAADIN/**",
"/v-r/**",
"/favicon.ico",
"/manifest.json",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/frontend-es5/**", "/frontend-es6/**"
);
super.configure(web);
}
}
`
I’m working on a Spring Boot application using Vaadin for the frontend and Spring Security for authentication. I'm encountering an issue where Vaadin's internal XHR requests are being blocked with a 403 Forbidden error after login.
`
The error details from the browser console are as follows:
FlowClient-341d667e.js:3 POST http://localhost:8085/?v-r=uidl&v-uiId=3 403 (Forbidden)
FlowClient-341d667e.js:1 Server returned 403 for xhr
FlowClient-341d667e.js:1 Reconnecting because of XHR failure
FlowClient-341d667e.js:1 Reconnect attempt 1 for XHR
FlowClient-341d667e.js:3 Re-sending last message to the server...
FlowClient-341d667e.js:1 Sending xhr message to server: {"csrfToken":"f1fea950-67a6-4c85-9760-3c5b43b27602",
"rpc":[{"type":"publishedEventHandler","node":1,"templateEventMethodName":"connectClient",
"templateEventMethodArgs":["admin/login","","",null,""],"promise":0}],"syncId":0,"clientId":0}`
What I’ve Tried 1.Disabling CSRF entirely: http.csrf(AbstractHttpConfigurer::disable);
2.Configuring CSRF to ignore specific Vaadin endpoints:
`http.csrf(csrf -> csrf
.ignoringRequestMatchers(
"/admin/**", "/admin/trading-accounts", "/admin/algoSignals", "/vaadinServlet/**", "/VAADIN/**", "/frontend/**", "/frontend-es5/**", "/frontend-es6/**")
);`
3.Allowing Vaadin internal requests using HandlerHelper.isFrameworkInternalRequest:
`authorizeRequests(auth -> auth
.requestMatchers(request -> HandlerHelper.isFrameworkInternalRequest("/*", request)).permitAll()
.requestMatchers("/admin/trading-accounts", "/admin/algoSignals").authenticated()
.anyRequest().permitAll()
);
`
This also doesn’t resolve the problem.
本文标签: spring securityGetting 403 Forbidden for Internal XHR RequestsStack Overflow
版权声明:本文标题:spring security - Getting 403 Forbidden for Internal XHR Requests - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736305330a1932554.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论