个人中心
文章发布
退出
作者热门文章
- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
26
4
我有一个 Spring Boot 应用程序设置,使用 SpringSecurity 和 OneLogin 作为 JWT token 提供程序。
WebConfig 类如下所示:
@EnableResourceServer
@EnableWebSecurity
@Configuration
public class WebConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) {
web.ignoring().mvcMatchers(
"/actuator/info",
"/actuator/health",
"/someArbitraryPath/**");
}
}
到目前为止,一切顺利,除上述端点外的所有端点都是安全的,并且仅在传入(有效)JWT token 时才有效。上面配置的似乎在根本不传递身份验证 header 时起作用,这正是我想要做的。
异常(exception)...当“/someArbitraryPath/someDto/”下的两个调用之一抛出异常(配置为返回 ResponseStatus“NOT_FOUND”)时,我会得到 401 结果。
因此,在“/someArbitraryPath”下,我有以下(向公众开放)REST Controller :
@RestController
@RequestMapping("/someArbitraryPath")
public class SomeArbitraryApiController {
private final SomeArbitraryService service;
private final SomeArbitraryDtoMapper dtoMapper;
public SomeArbitraryApiController(SomeArbitraryService service, SomeArbitraryDtoMapper dtoMapper) {
this.service = service;
this.dtoMapper = dtoMapper;
}
@GetMapping(value = "/someDtosList", params = {"page", "size"})
@Transactional(readOnly = true)
public SomePageDto getSomeDtoPage(
@RequestParam(value = "page", required = false, defaultValue = "0") int page,
@RequestParam(value = "size", required = false, defaultValue = "250") int size) {
Page<SomeObject> someDtoPage = service.searchPageOfSomeObjects(page, size);
List<SomeDto> someDtoList = dtoMapper.someObjectsToDtos(someDtoPage.getContent());
PageDto pageDto = new PageDto(size, someDtoPage.getTotalElements(), someDtoPage.getTotalPages(), page);
return new SomePageDto(someDtoList, pageDto);
}
@GetMapping("/someDtosList/{dtoId}")
@Transactional(readOnly = true)
public SomeDto getSomeDtoById(@PathVariable(value = "dtoId") String dtoId) {
return dtoMapper.objectToDto(
service.getSomeObjectById(dtoId)
);
}
}
两者的最后一次调用(检索特定 SomeDto 对象)可能会抛出 ResourceNotFoundException,该异常被配置为返回 ResponseStatus NOT_FOUND:
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ResponseStatus;
@ResponseStatus(value = HttpStatus.NOT_FOUND)
public class ResourceNotFoundException extends RuntimeException {
public ResourceNotFoundException(String resourceName, String fieldName, Object fieldValue) {
super(String.format("%s not found with %s : '%s'", resourceName, fieldName, fieldValue));
}
}
但是,在不安全调用时,不会返回 404 HTTP 状态 - 这会返回 401 未经授权:
{
"error": "unauthorized",
"error_description": "Full authentication is required to access this resource"
}
但是,当我在 RestController 中明确捕获异常并将 HttpServletResponse 对象上的响应状态设置为
response.setStatus(HttpStatus.SC_NOT_FOUND);
然后我确实得到了 404。但不是我想要的(而且我不想重新配置相同的错误对象,不是吗)。
当我使用有效的 JWT token 调用此端点时,它确实会返回正确的 404 错误和正确的正文。
我做错了什么?
最佳答案
进一步深入了解 DEBUG 日志,我发现了问题。
当抛出带有 HTTP_STATUS 代码的异常时,Spring 实际上会重定向到/error。因此,为了安全起见,必须将该端点添加到忽略的端点中。
2019-04-18 15:47:36,950 DEBUG o.s.web.servlet.DispatcherServlet - Completed 404 NOT_FOUND, headers={}
2019-04-18 15:47:36,958 DEBUG o.a.c.c.C.[Tomcat].[localhost] - Processing ErrorPage[errorCode=0, location=/error]
2019-04-18 15:47:36,962 DEBUG o.a.catalina.core.StandardWrapper - Returning non-STM instance
2019-04-18 15:47:36,962 DEBUG s.d.s.w.PropertySourcedRequestMappingHandlerMapping - looking up handler for path: /error
2019-04-18 15:47:36,968 DEBUG s.d.s.w.PropertySourcedRequestMappingHandlerMapping - looking up handler for path: /error
2019-04-18 15:47:36,968 DEBUG s.d.s.w.PropertySourcedRequestMappingHandlerMapping - looking up handler for path: /error
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/v2/api-docs'
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-resources/configuration/ui'
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-resources'
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-resources/configuration/security'
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-ui.html'
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/webjars/**'
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/logout'
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /logout'
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'PUT /logout'
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'DELETE /logout'
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
2019-04-18 15:47:36,971 DEBUG o.s.security.web.FilterChainProxy - /error at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2019-04-18 15:47:36,971 DEBUG o.s.s.o.p.a.BearerTokenExtractor - Token not found in headers. Trying request parameters.
2019-04-18 15:47:36,971 DEBUG o.s.s.o.p.a.BearerTokenExtractor - Token not found in request parameters. Not an OAuth2 request.
2019-04-18 15:47:36,971 DEBUG o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter - No token in request, will continue chain.
2019-04-18 15:47:36,971 DEBUG o.s.security.web.FilterChainProxy - /error at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-04-18 15:47:36,971 DEBUG o.s.security.web.FilterChainProxy - /error at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-04-18 15:47:36,972 DEBUG o.s.security.web.FilterChainProxy - /error at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-04-18 15:47:36,973 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@c875a1a4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2019-04-18 15:47:36,973 DEBUG o.s.security.web.FilterChainProxy - /error at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-04-18 15:47:36,973 DEBUG o.s.security.web.FilterChainProxy - /error at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-04-18 15:47:36,973 DEBUG o.s.security.web.FilterChainProxy - /error at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2019-04-18 15:47:36,974 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /error; Attributes: [#oauth2.throwOnError(authenticated)]
2019-04-18 15:47:36,974 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@c875a1a4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2019-04-18 15:47:36,979 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@789f882a, returned: -1
2019-04-18 15:47:36,982 DEBUG o.s.b.a.a.listener.AuditListener - AuditEvent [timestamp=2019-04-18T13:47:36.981Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}]
2019-04-18 15:47:36,982 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:712)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:394)
at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:253)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
非常感谢您指出正确的方向,dur!
关于java - 在 Controller 中抛出异常时,Spring Websecurity 在 'ignored' 资源上抛出 401,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55745580/
26
4
0
有人告诉我,如果我只有一个“东西”,比如家(不是多个家),我应该在 routes.rb 中使用资源 :home,而不是资源 :home。但是当我查看路由时,POST 函数似乎想要 home#creat
Activity 开始。这些代码框架顺利通过。 // Initialize array adapters. One for already paired devices and //
资源 search-hadoop.com search-hadoop.com索引所有邮件列表,非常适合历史搜索。当你遇到问题时首先在这里搜索,因为很可能有人已经遇到了你的问题。 邮件列表 在A
我是 WPF 的新手,正在努力使用位于单独程序集中的样式。这就是我正在做的:- 我有一个带有\Themes 文件夹的类库项目,其中包含一个“generic.xaml”,它合并了\Themes 内的子文
我正在编写一个使用虚拟树状文件结构的插件。基本上它就像一个包含文件的标准文件系统,区别在于这些文件实际上并不存在于文件系统中的特定位置,而只是 java 对象。 这些当前由使用 SettingProv
如果我在 XAML 中使用以下内容,我会收到错误消息: 错
我正在使用 laravel 资源来获取 api 的数据: return [ 'id' => $this->id, 'unread' =>
我有以下 pom.xml: 4.0.0 mycompany resource-fail 0.0.1-SNAPSHOT BazBat
许多GDI +类都实现IDisposable,但是我不确定何时应该调用Dispose。对于使用new或静态方法(例如Graphics.CreateGraphics)创建的实例来说,这很明显。但是,由属
我正在构建一组 RESTful 资源,其工作方式如下:(我将使用“people”作为示例): 获取/people/{key} - 返回一个人对象 (JSON) GET/people?first_nam
已关闭。此问题不符合Stack Overflow guidelines 。目前不接受答案。 要求我们推荐或查找工具、库或最喜欢的场外资源的问题对于 Stack Overflow 来说是偏离主题的,因为
我有一个使用 $resource 的简单 Controller : var Regions = $resource('mocks/regions.json'); $scope.regions =
在 Azure 门户中,如何查看不同资源之间的依赖关系。我特别想查看哪些资源正在使用我要删除的存储。 最佳答案 您可以使用应用程序洞察应用程序 map 来执行此操作: 您还可以打开存储帐户的日志记录:
我正在使用 ionic 生成资源(图标和启动画面)。我正在使用 ionic v2.1.0 和 cordova v6.4.0。 到目前为止我一直在使用(它在以前的版本中工作): cordova plat
是否可以使用 Assets 包含子文件夹中的文件? 示例:[base_url]/assets/css/pepper-grinder/jquery-ui-1.8.11.custom.min.css 最佳
我正在阅读一些尝试教授 Android 开发的书。在书中,作者概述了 res/下的一些目录。他提到 res/menu 包含基于 XML 的菜单规范。他还提到了保存“通用文件”的 res/raw。当我创
关闭。这个问题是opinion-based 。目前不接受答案。 想要改进这个问题吗?更新问题,以便 editing this post 可以用事实和引文来回答它。 . 已关闭 9 年前。 Improv
我在服务器上使用 express-resource。在我的 AngularJS Controller 中: var User = $resource('/services/users/:use
因此,每当我运行我的应用程序时,它都会立即崩溃并给出以下错误: No package identifier when getting value for resource number 0x00000
对于我正在创建的(网络)应用程序,我需要使用基本身份验证在我的 UIWebView 中加载页面。 现在设置我使用的授权 header : NSString *result = [NSString st
我是一名优秀的程序员,十分优秀!