java - spring security spring mvc ajax 请求 controller 被拦截

Question

各位大神 请教个 spring security 问题  
  getAjax("../menu/loadmenu", "", function (data) {
 这样会被拦截 因为 这个地址在数据库里面没有存 
如果 在xml 里面配置了  <security:http pattern="/main/*" security="none"/>
是可以访问了 但是在controller 里面就获取不到当前登录用户的信息了

Answer 1

Are you worried about how to make ajax requests in spring security? General ajax requests are forbidden in Spring Security because the csrf token is null when requesting. The official provides a solution, refer to the official document http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html

The specific method is
1. Add the following code in the head tag of the jsp page:
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>

2. Add the following code before the ajax request:
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header' ]").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});

This way you can use ajax requests normally.
Please refer to my blog http://jeesun.github.io/2016/03/27/Spring-Security%E5%A4%84%E7%90%86Ajax%E8%AF%B7%E6%B1% 82/