Spring @DeleteMapping 结果为 405
我有一个抽象的 CRUD 控制器,它在使用路径变量的同一路径上有 GetMapping 和 DeleteMapping 。两个 HttpMethod 都定义在同一路径上并且没有主体。
GET 工作得很好,但对于 DELETE,我得到了一致的 405 方法不受支持。原始调用是通过 JS 使用以下方法
@Transactional
public abstract class BasicController<T extends Dto, D extends PagingAndSortingRepository<J, Long> & JpaSpecificationExecutor<J>, J> {
@GetMapping("/content/{id}")
public ResponseEntity<DtoResponse<T>> handleGetById(@PathVariable(value = "id") Long id) {
try {
checkAuthorization(getPath(), "get");
Optional<J> jpaObject = getJpaObject(id);
if (jpaObject.isPresent()) {
T dto = getJpaToDtoMapper().apply(jpaObject.get());
DtoResponse<T> response = new DtoResponse<>(List.of(dto));
return new ResponseEntity<>(response, HttpStatus.OK);
} else {
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
}
} catch (AuthorizationException e) {
log.error("User not authorized to get record by Id config for page {}", getPath(), e);
return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
}
}
@DeleteMapping("/content/{id}")
public ResponseEntity<DtoResponse<String>> handleDelete(@PathVariable(value = "id") Long id) {
try {
checkAuthorization(getPath(), "delete");
performValidationsBeforeDelete(id);
if (dao.existsById(id)) {
dao.deleteById(id);
return new ResponseEntity<>(HttpStatus.OK);
} else {
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
}
} catch (BasicValidationException e) {
log.error("User not authorized to delete {} because of {}", id, e.getErrors(), e);
return new ResponseEntity<>(new DtoResponse<>(e.getErrors(), false), HttpStatus.BAD_REQUEST);
} catch (AuthorizationException e) {
log.error("User not authorized to delete {}", id, e);
return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
}
}
和实现进行的:
@Controller
@RequestMapping(UserRoleController.PATH)
public class UserRoleController extends BasicController<UserRegistrationDto, UserDao, User> {
protected static final String PATH = "maintenance/userrole";
protected UserRoleController(UserDao dao) {
super(dao);
}
@Override
public Function<User, UserRegistrationDto> getJpaToDtoMapper() {
return user -> {
UserRegistrationDto dto = new UserRegistrationDto();
dto.setFirstName(user.getFirstName());
dto.setLastName(user.getLastName());
dto.setUserName(user.getUserName());
dto.setEmail(user.getEmail());
dto.setPassword("f-off");
dto.setConfirmedPassword("you wished");
dto.setUserRolesDtoList(new ArrayList<>());
for (Role role : user.getRole()) {
UserRolesDto userRolesDto = new UserRolesDto();
userRolesDto.setUserId(role.getId());
userRolesDto.setRoleId(role.getId());
dto.getUserRolesDtoList().add(userRolesDto);
}
return dto;
};
}
@Override
public Function<UserRegistrationDto, User> getDtoToJpaMapper() {
return dto -> new User(dto.getFirstName(), dto.getLastName(), dto.getUserName(), dto.getEmail(), dto.getPassword(), "enc", 0, new Date());
}
@Override
public Class<User> getJpaClass() {
return User.class;
}
@Override
public Class<UserRegistrationDto> getDtoClass() {
return UserRegistrationDto.class;
}
@Override
protected void performValidationsBeforeCreate(User newModel, HttpServletRequest request) throws BasicValidationException {
//do nothing
}
@Override
protected void performValidationsBeforeUpdate(User existingModel, User newModel, HttpServletRequest request) throws BasicValidationException {
//do nothing
}
@Override
protected void performValidationsBeforeDelete(Long id) throws BasicValidationException {
//do nothing
}
@Override
public void handleAction() {
//do nothing
}
@Override
public String getPath() {
return PATH;
}
}
JavaScript 执行调用。 _this.pageUrl 在“http://localhost:8080/maintenance/userrole”页面上包含“userrole”字符串。这会导致对 URL 的调用,在 Chrome 开发人员的“网络”选项卡中也可见。
DELETE http://localhost:8080/maintenance/userrole/content/1
url 很好,当使用 GET 访问此 URL 时,它可以工作,并且路径的定义方式完全相同...
this.pageConfig.sourceConfig.deleterow = function (rowid, commit) {
let xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = () => {
if (xmlHttp.readyState === 4 && xmlHttp.status === 200) {
commit(true);
} else if (xmlHttp.readyState === 4 && xmlHttp.status !== 200) {
//todo: handle exceptions properly
commit(false);
}
}
xmlHttp.open("DELETE", _this.pageUrl+"/content/"+rowid, false); // true for asynchronous
xmlHttp.send();
};
当执行 GET 时,我得到了预期的结果目的。当使用 POSTMAN 并执行 GET 时,它也可以工作,当在 URL 上执行 OPTIONS 时,我得到以下 ALLOW 标头值:DELETE、GET、HEAD、OPTIONS。
如果我删除 DeleteMapping,则在使用 OPTIONS 时,DELETE 在 ALLOW 标头值上不可用。换句话说,Spring 公开了 DELETE 方法,但它现在才能够以某种方式解决它。
在 Postman 中,使用 DELETE,我尝试了所有可以定义的正文类型,所有这些都具有相同的 405 结果。 (请注意,主体始终为空)
我也尝试设置 spring.mvc.hiddenmethod.filter.enabled=true 但这也没有任何效果。
此外,我尝试创建一个简单的控制器,只有一个删除映射方法,没有任何模糊(没有抽象等),我也得到了 405。
我缺少什么,启用 DELETE 是否需要任何特定配置?为什么 Spring 无法解决它...
我记得在 POST 中我遇到了类似的问题,并且设置 Consumes 和 Produces 属性有效,但在这种情况下,我没有消耗任何特定数据,因为参数来自路径变量。
I have an abstract crud controller which has a GetMapping and DeleteMapping on the same path which uses pathvariables. Both HttpMethods are defined on the same path and are without body.
The GET works perfectly fine, but for the DELETE i am getting a consistent 405 Method not supported. The original calls are made via JS using the below method
@Transactional
public abstract class BasicController<T extends Dto, D extends PagingAndSortingRepository<J, Long> & JpaSpecificationExecutor<J>, J> {
@GetMapping("/content/{id}")
public ResponseEntity<DtoResponse<T>> handleGetById(@PathVariable(value = "id") Long id) {
try {
checkAuthorization(getPath(), "get");
Optional<J> jpaObject = getJpaObject(id);
if (jpaObject.isPresent()) {
T dto = getJpaToDtoMapper().apply(jpaObject.get());
DtoResponse<T> response = new DtoResponse<>(List.of(dto));
return new ResponseEntity<>(response, HttpStatus.OK);
} else {
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
}
} catch (AuthorizationException e) {
log.error("User not authorized to get record by Id config for page {}", getPath(), e);
return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
}
}
@DeleteMapping("/content/{id}")
public ResponseEntity<DtoResponse<String>> handleDelete(@PathVariable(value = "id") Long id) {
try {
checkAuthorization(getPath(), "delete");
performValidationsBeforeDelete(id);
if (dao.existsById(id)) {
dao.deleteById(id);
return new ResponseEntity<>(HttpStatus.OK);
} else {
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
}
} catch (BasicValidationException e) {
log.error("User not authorized to delete {} because of {}", id, e.getErrors(), e);
return new ResponseEntity<>(new DtoResponse<>(e.getErrors(), false), HttpStatus.BAD_REQUEST);
} catch (AuthorizationException e) {
log.error("User not authorized to delete {}", id, e);
return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
}
}
and the implementation:
@Controller
@RequestMapping(UserRoleController.PATH)
public class UserRoleController extends BasicController<UserRegistrationDto, UserDao, User> {
protected static final String PATH = "maintenance/userrole";
protected UserRoleController(UserDao dao) {
super(dao);
}
@Override
public Function<User, UserRegistrationDto> getJpaToDtoMapper() {
return user -> {
UserRegistrationDto dto = new UserRegistrationDto();
dto.setFirstName(user.getFirstName());
dto.setLastName(user.getLastName());
dto.setUserName(user.getUserName());
dto.setEmail(user.getEmail());
dto.setPassword("f-off");
dto.setConfirmedPassword("you wished");
dto.setUserRolesDtoList(new ArrayList<>());
for (Role role : user.getRole()) {
UserRolesDto userRolesDto = new UserRolesDto();
userRolesDto.setUserId(role.getId());
userRolesDto.setRoleId(role.getId());
dto.getUserRolesDtoList().add(userRolesDto);
}
return dto;
};
}
@Override
public Function<UserRegistrationDto, User> getDtoToJpaMapper() {
return dto -> new User(dto.getFirstName(), dto.getLastName(), dto.getUserName(), dto.getEmail(), dto.getPassword(), "enc", 0, new Date());
}
@Override
public Class<User> getJpaClass() {
return User.class;
}
@Override
public Class<UserRegistrationDto> getDtoClass() {
return UserRegistrationDto.class;
}
@Override
protected void performValidationsBeforeCreate(User newModel, HttpServletRequest request) throws BasicValidationException {
//do nothing
}
@Override
protected void performValidationsBeforeUpdate(User existingModel, User newModel, HttpServletRequest request) throws BasicValidationException {
//do nothing
}
@Override
protected void performValidationsBeforeDelete(Long id) throws BasicValidationException {
//do nothing
}
@Override
public void handleAction() {
//do nothing
}
@Override
public String getPath() {
return PATH;
}
}
And the JavaScript doing the calling. The _this.pageUrl contains the "userrole" string while being on the "http://localhost:8080/maintenance/userrole" page. This results in a call to URL as also visible in Network tab of Chrome Developer.
DELETE http://localhost:8080/maintenance/userrole/content/1
The url is fine, when using GET to this URL it works and the path is defined exactly the same way...
this.pageConfig.sourceConfig.deleterow = function (rowid, commit) {
let xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = () => {
if (xmlHttp.readyState === 4 && xmlHttp.status === 200) {
commit(true);
} else if (xmlHttp.readyState === 4 && xmlHttp.status !== 200) {
//todo: handle exceptions properly
commit(false);
}
}
xmlHttp.open("DELETE", _this.pageUrl+"/content/"+rowid, false); // true for asynchronous
xmlHttp.send();
};
When doing a GET I am getting the expected object. When using POSTMAN and doing a GET, it works as well, when doing a OPTIONS on the URL, i am getting the following ALLOW header values: DELETE,GET,HEAD,OPTIONS.
If I remove the DeleteMapping, then the DELETE is not availabe on the ALLOW header values when using OPTIONS. In other words, Spring is exposing that DELETE method, but it's just now able to resolve it somehow
In Postman, using DELETE, i have tried all the body types that could be defined, all with the same 405 result. (note that the body was always empty)
I have also tried settings the spring.mvc.hiddenmethod.filter.enabled=true but this did not have any effect either.
Furthermore i tried to create a simple controller with only a DeleteMapping method without any fuzz (no abstraction and so), i was getting a 405 on this as well.
What am I missing, is there any specific configuration required to enable DELETE? Why is Spring not able to resolve it...
I remember with POST i was having a similar issue and setting the Consumes and Produces attribute worked, but in this scenario I am not consuming any specific data as the parametesr are coming from the path variable.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您是否尝试添加
@ResponseBody因为@Controller每个方法都需要此注释,而@RestController消除了此注释did you try to add
@ResponseBodyas@Controllerneed this annotation for each method while@RestControllereliminates this annotation好吧,经过一些调试和反复试验,我终于找到了问题所在。我启用了 CSRF,但没有将 CSRF 令牌作为标头的一部分传递。通过启用 Spring 的 DEBUG 日志可以轻松识别这一点。有趣的是为什么我当时得到的是 405 而不是 403?
好吧,这是因为我的初始请求被 403 拒绝,然后 Spring 尝试使用相同的 HTTP 方法(DELETE)将我重定向到 /Error 控制器,而 /Error 页面显然不存在该方法......结果我在响应和信息日志中只看到了 405。
当设置 Spring 的日志级别进行调试时,我发现了这一点,它清楚地显示了发生了什么...经验教训:启用调试日志。
Ok, after doing some debugging and trial and error i finally found the problem. I have CSRF enabled and I was not passing the CSRF token as part of the header. This could have easily been identified by enabling DEBUG logs from Spring. The interesting bit is why was I getting the 405 then instead of the 403?
Well, this is because my initial request got rejected with a 403, then Spring tried to redirect me to the /Error controller using the same HTTP Method (DELETE) which obviously does not exist for the /Error page.... As a result i was seeing only the 405 in the response and the info logs.
When setting loglevel of Spring to debug I found this, which clearly shows what was going on... Lessons learned: enable the debug logs.