After the upgrade, found that login does not go in, the post changed to get good, but the system submitted form function can not be used, but also resolved a long time, and finally found the root cause.
Spring Sercurity 4.0 CSRF protection is turned on by default, and the CSRF filter checks that the post data has no token and fails.
Workaround One: Add <csrf disabled= "true"/> Configuration
Workaround Two: Do not filter the specified URL
Get yourself a matcher.
1 package com.cnblogs.yjmyzz.utils;
2
3 Import java.util.List;
4 Import Java.util.regex.Pattern;
5
6 Import Javax.servlet.http.HttpServletRequest;
7
8 Import Org.springframework.security.web.util.matcher.RequestMatcher;
9
public class Csrfsecurityrequestmatcher implements Requestmatcher {
Each private Pattern allowedmethods = Pattern12. Compile ("^ (get| head| trace| OPTIONS) $ ");
13
Public boolean matches (HttpServletRequest request) {
15
if (execludeurls! = null && execludeurls.size () > 0) {
Servletpath String = Request.getservletpath ();
(String url:execludeurls) {
if (servletpath.contains (URL)) {
return false;
21}
22}
23}
Return!allowedmethods.matcher (Request.getmethod ()). matches ();
25}
26
27/**
28 * List of URLs that need to be excluded
29 */
-Private list<string> Execludeurls;
31
Public list<string> Getexecludeurls () {
Execludeurls return;
34}
35
$ public void Setexecludeurls (list<string> execludeurls) {
Panax Notoginseng this.execludeurls = execludeurls;
38}
39}
This adds an attribute, Execludeurls, that allows you to exclude which URLs are artificially excluded.
Then in the configuration file, this modifies:
1
2 ...
3 <intercept-url pattern= "/rest/**" access= "Permitall"/>
4 ...
5
6
7
8 <beans:bean id= "Csrfsecurityrequestmatcher" class= "Com.cnblogs.yjmyzz.utils.CsrfSecurityRequestMatcher" >
9 <beans:property name= "Execludeurls" >
Ten <beans:list>
<beans:value>/rest/</beans:value>
</beans:list>
</beans:property>
</beans:bean>
It is agreed that all/rest/begin with a rest service address, and the above configuration excludes/rest/from the scope of CSRF validation.
Solution Three: Join CSRF's token
Reference http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-logout
Spring security3.1 Upgrade to 4.1 issue (1) Access/j_spring_security_check 404