spring security POST请求 报403 Forbidden

Security配置代码：

protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/login")
                // 登录成功
                .successHandler(loginSuccessHandler)
                // 登录失败
                .failureHandler(loginFailureHandler).permitAll()
                .and()
                // 未登录请求资源
                .exceptionHandling().authenticationEntryPoint(forbiddenEntryPoint)
                .and()
                // 允许任何请求（不管有没有权限以及拥有何种权限）登出
                .logout().logoutSuccessHandler(logoutHandler);

    }

使用/**过滤掉了所有路径 ，但它还是报403，

修改成GET请示居然就通过了

为了查看这个请示具体的执行过程，把日志级别调整到debug,看一下是否有收获：

[2020-11-23 15:11:17,990][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] HttpSession returned null object for SPRING_SECURITY_CONTEXT (HttpSessionSecurityContextRepository.java:189)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@587bedb7. A new one will be created. (HttpSessionSecurityContextRepository.java:119)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] /sysuser/getAllUsers at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] Invalid CSRF token found for http://localhost:8082/sysuser/getAllUsers (CsrfFilter.java:110)
[2020-11-23 15:11:17,991][DEBUG][http-nio-8082-exec-1] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4f1f9d8 (HstsHeaderWriter.java:129)
[2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. (HttpSessionSecurityContextRepository.java:355)
[2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] SecurityContextHolder now cleared, as request processing completed (SecurityContextPersistenceFilter.java:119)
[2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] /error at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] /error at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] HttpSession returned null object for SPRING_SECURITY_CONTEXT (HttpSessionSecurityContextRepository.java:189)
[2020-11-23 15:11:17,992][DEBUG][http-nio-8082-exec-1] No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@587bedb7. A new one will be created. (HttpSessionSecurityContextRepository.java:119)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] Checking match of request : '/error'; against '/logout' (AntPathRequestMatcher.java:176)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] Checking match of request : '/error'; against '/login' (AntPathRequestMatcher.java:176)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] saved request doesn't match (HttpSessionRequestCache.java:95)
[2020-11-23 15:11:17,993][DEBUG][http-nio-8082-exec-1] /error at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@f39eef0f: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 03BB1A49755357199553DC4C322C410B; Granted Authorities: ROLE_ANONYMOUS' (AnonymousAuthenticationFilter.java:100)
[2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] /error at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' (FilterChainProxy.java:328)
[2020-11-23 15:11:17,994][DEBUG][http-nio-8082-exec-1] Request '/error' matched by universal pattern '/**' (AntPathRequestMatcher.java:166)
[2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Secure object: FilterInvocation: URL: /error; Attributes: [permitAll] (AbstractSecurityInterceptor.java:219)
[2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@f39eef0f: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 03BB1A49755357199553DC4C322C410B; Granted Authorities: ROLE_ANONYMOUS (AbstractSecurityInterceptor.java:348)
[2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@34fa19b9, returned: 1 (AffirmativeBased.java:66)
[2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] Authorization successful (AbstractSecurityInterceptor.java:243)
[2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] RunAsManager did not change Authentication object (AbstractSecurityInterceptor.java:256)
[2020-11-23 15:11:17,995][DEBUG][http-nio-8082-exec-1] /error reached end of additional filter chain; proceeding with original chain (FilterChainProxy.java:313)
[2020-11-23 15:11:17,996][DEBUG][http-nio-8082-exec-1] "ERROR" dispatch for POST "/error", parameters={} (LogFormatUtils.java:90)
[2020-11-23 15:11:17,997][DEBUG][http-nio-8082-exec-1] Mapped to public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> com.crhms.seabow.controller.ErrorController.error(javax.servlet.http.HttpServletRequest) (AbstractHandlerMapping.java:420)
[2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] 执行Controller开始：ResponseEntity com.crhms.seabow.controller.ErrorController.error(HttpServletRequest) (LoggingInterceptor.java:38)
[2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] 请求地址 : http://localhost:8082/error (LoggingInterceptor.java:66)
[2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] HTTP方法 : POST (LoggingInterceptor.java:67)
[2020-11-23 15:11:17,998][INFO ][http-nio-8082-exec-1] IP地址 : 0:0:0:0:0:0:0:1 (LoggingInterceptor.java:68)
[2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 请求目标类 : com.crhms.seabow.controller.ErrorController.error (LoggingInterceptor.java:69)
[2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 参数 : [SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.context.HttpSessionSecurityContextRepository$Servlet3SaveToSessionRequestWrapper@21b0f660]] (LoggingInterceptor.java:70)
[2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 执行Controller结束:  (LoggingInterceptor.java:42)
[2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 耗时：1(毫秒). (LoggingInterceptor.java:45)
[2020-11-23 15:11:17,999][INFO ][http-nio-8082-exec-1] 请求处理结束：0000000000000000000000:<403 FORBIDDEN Forbidden,{msg=Forbidden, code=403},[]> (LoggingInterceptor.java:75)
[2020-11-23 15:11:18,000][DEBUG][http-nio-8082-exec-1] Using 'application/json', given [*/*] and supported [application/json] (AbstractMessageConverterMethodProcessor.java:268)
[2020-11-23 15:11:18,000][DEBUG][http-nio-8082-exec-1] Writing [{msg=Forbidden, code=403}] (LogFormatUtils.java:90)
[2020-11-23 15:11:18,000][DEBUG][http-nio-8082-exec-1] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. (HttpSessionSecurityContextRepository.java:355)
[2020-11-23 15:11:18,001][DEBUG][http-nio-8082-exec-1] Exiting from "ERROR" dispatch, status 403 (FrameworkServlet.java:1126)
[2020-11-23 15:11:18,001][DEBUG][http-nio-8082-exec-1] Chain processed normally (ExceptionTranslationFilter.java:121)
[2020-11-23 15:11:18,001][DEBUG][http-nio-8082-exec-1] SecurityContextHolder now cleared, as request processing completed (SecurityContextPersistenceFilter.java:119)

可以看/sysuser/getAllUsers这个请求在security的第四个filter：CsrfFilter是开始报错了，错误信息：Invalid CSRF token found for http://localhost:8082/sysuser/getAllUsers (CsrfFilter.java:110)，

查阅资料后发现这是一个RESTful技术与CSRF(Cross-site request forgery跨站请求伪造)的冲突造成的，CSRF默认支持的方法： GET|HEAD|TRACE|OPTIONS，不支持POST。可以在security在配置中禁用掉它。

protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/**").permitAll()
                //需要权限ROLE_COMMON 才可以访问的路径   <a th:href="@{/common/test}">去test.html</a>
                //.antMatchers("/common/**").hasRole("COMMON")
                // 只有具有任意的某个权限就可以访问其他访问-没有权限还是无法访问的
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .loginProcessingUrl("/login")
                // 登录成功
                .successHandler(loginSuccessHandler)
                // 登录失败
                .failureHandler(loginFailureHandler).permitAll()
                .and()
                // 未登录请求资源
                .exceptionHandling().authenticationEntryPoint(forbiddenEntryPoint)
                .and()
                // 允许任何请求（不管有没有权限以及拥有何种权限）登出
                .logout().logoutSuccessHandler(logoutHandler)
                .and()
                .csrf().disable();;

    }

请示就可以正常访问了：

[2020-11-23 15:20:29,311][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,312][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,312][DEBUG][http-nio-8082-exec-2] No HttpSession currently exists (HttpSessionSecurityContextRepository.java:177)
[2020-11-23 15:20:29,313][DEBUG][http-nio-8082-exec-2] No SecurityContext was available from the HttpSession: null. A new one will be created. (HttpSessionSecurityContextRepository.java:119)
[2020-11-23 15:20:29,315][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,316][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,316][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', GET] (OrRequestMatcher.java:65)
[2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Request 'POST /sysuser/getAllUsers' doesn't match 'GET /logout' (AntPathRequestMatcher.java:156)
[2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', POST] (OrRequestMatcher.java:65)
[2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Checking match of request : '/sysuser/getAllUsers'; against '/logout' (AntPathRequestMatcher.java:176)
[2020-11-23 15:20:29,317][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', PUT] (OrRequestMatcher.java:65)
[2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] Request 'POST /sysuser/getAllUsers' doesn't match 'PUT /logout' (AntPathRequestMatcher.java:156)
[2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] Trying to match using Ant [pattern='/logout', DELETE] (OrRequestMatcher.java:65)
[2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] Request 'POST /sysuser/getAllUsers' doesn't match 'DELETE /logout' (AntPathRequestMatcher.java:156)
[2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] No matches found (OrRequestMatcher.java:72)
[2020-11-23 15:20:29,318][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 5 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] Checking match of request : '/sysuser/getAllUsers'; against '/login' (AntPathRequestMatcher.java:176)
[2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] saved request doesn't match (HttpSessionRequestCache.java:95)
[2020-11-23 15:20:29,319][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,321][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@200ee26e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' (AnonymousAuthenticationFilter.java:100)
[2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] Requested session ID 03BB1A49755357199553DC4C322C410B is invalid. (SessionManagementFilter.java:124)
[2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,322][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' (FilterChainProxy.java:328)
[2020-11-23 15:20:29,323][DEBUG][http-nio-8082-exec-2] Request '/sysuser/getAllUsers' matched by universal pattern '/**' (AntPathRequestMatcher.java:166)
[2020-11-23 15:20:29,323][DEBUG][http-nio-8082-exec-2] Secure object: FilterInvocation: URL: /sysuser/getAllUsers; Attributes: [permitAll] (AbstractSecurityInterceptor.java:219)
[2020-11-23 15:20:29,323][DEBUG][http-nio-8082-exec-2] Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@200ee26e: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS (AbstractSecurityInterceptor.java:348)
[2020-11-23 15:20:29,329][DEBUG][http-nio-8082-exec-2] Voter: org.springframework.security.web.access.expression.WebExpressionVoter@61252, returned: 1 (AffirmativeBased.java:66)
[2020-11-23 15:20:29,329][DEBUG][http-nio-8082-exec-2] Authorization successful (AbstractSecurityInterceptor.java:243)
[2020-11-23 15:20:29,329][DEBUG][http-nio-8082-exec-2] RunAsManager did not change Authentication object (AbstractSecurityInterceptor.java:256)
[2020-11-23 15:20:29,330][DEBUG][http-nio-8082-exec-2] /sysuser/getAllUsers reached end of additional filter chain; proceeding with original chain (FilterChainProxy.java:313)
[2020-11-23 15:20:29,335][DEBUG][http-nio-8082-exec-2] POST "/sysuser/getAllUsers", parameters={} (LogFormatUtils.java:90)
[2020-11-23 15:20:29,343][DEBUG][http-nio-8082-exec-2] Mapped to public java.util.Map com.crhms.seabow.controller.UserController.getAllUsers() (AbstractHandlerMapping.java:420)
[2020-11-23 15:20:29,354][INFO ][http-nio-8082-exec-2] 执行Controller开始：Map com.crhms.seabow.controller.UserController.getAllUsers() (LoggingInterceptor.java:38)
[2020-11-23 15:20:29,354][INFO ][http-nio-8082-exec-2] 请求地址 : http://localhost:8082/sysuser/getAllUsers (LoggingInterceptor.java:66)
[2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] HTTP方法 : POST (LoggingInterceptor.java:67)
[2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] IP地址 : 0:0:0:0:0:0:0:1 (LoggingInterceptor.java:68)
[2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] 请求目标类 : com.crhms.seabow.controller.UserController.getAllUsers (LoggingInterceptor.java:69)
[2020-11-23 15:20:29,355][INFO ][http-nio-8082-exec-2] 参数 : [] (LoggingInterceptor.java:70)
[2020-11-23 15:20:29,358][INFO ][http-nio-8082-exec-2] 执行Controller结束:  (LoggingInterceptor.java:42)
[2020-11-23 15:20:29,358][INFO ][http-nio-8082-exec-2] 耗时：4(毫秒). (LoggingInterceptor.java:45)
[2020-11-23 15:20:29,359][INFO ][http-nio-8082-exec-2] 请求处理结束：0000000000000000000000:{} (LoggingInterceptor.java:75)
[2020-11-23 15:20:29,374][DEBUG][http-nio-8082-exec-2] Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json, application/x-jackson-smile, application/cbor] (AbstractMessageConverterMethodProcessor.java:268)
[2020-11-23 15:20:29,374][DEBUG][http-nio-8082-exec-2] Writing [AjaxResponse(status=200, msg=, total=0, data={})] (LogFormatUtils.java:90)
[2020-11-23 15:20:29,386][DEBUG][http-nio-8082-exec-2] Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@45005c12 (HstsHeaderWriter.java:129)
[2020-11-23 15:20:29,387][DEBUG][http-nio-8082-exec-2] SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession. (HttpSessionSecurityContextRepository.java:355)
[2020-11-23 15:20:29,390][DEBUG][http-nio-8082-exec-2] Completed 200 OK (FrameworkServlet.java:1130)
[2020-11-23 15:20:29,395][DEBUG][http-nio-8082-exec-2] Chain processed normally (ExceptionTranslationFilter.java:121)
[2020-11-23 15:20:29,395][DEBUG][http-nio-8082-exec-2] SecurityContextHolder now cleared, as request processing completed (SecurityContextPersistenceFilter.java:119)