gpt4 book ai didi

java - 请求安全页面时,RestTemplate 不会因 403 或 302 错误而失败

转载 作者:行者123 更新时间:2023-12-01 11:10:20 30 4
gpt4 key购买 nike

我有一个使用 spring-security 4.0.1 和 spring mvc 4.1.6 的网络应用程序。它具有以下针对 View 页面“/admin”和数据 API“/admin/api/properties”的 spring 安全配置:

<http pattern="/admin.*" request-matcher="regex" auto-config="false">
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
<intercept-url pattern="/admin/api/.+" access="hasRole('ADMIN')"/>
<logout logout-url="/admin/logout" success-handler-ref="customLogoutSuccessHandler"/>
<form-login login-page="/admin/login" login-processing-url="/admin/login"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-handler-ref="customFailureHandler"/>
<csrf disabled="true" />
</http>

这工作正常。但现在我尝试通过使用不同凭据的其余模板向“/admin”和“/admin/api/properties”发送请求来测试安全性。

private HttpStatus fetchAccessStatusForPage(String username, String password, String requestUrl) {
HttpHeaders headers = new HttpHeaders();
String token = username + ":" + password;
String authorizationValue = "Base " + new String(Base64.encode(token.getBytes()));
headers.add("Authorization", authorizationValue);
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Object> httpEntity = new HttpEntity<>(headers);
HttpStatus resultCode;
try {
ResponseEntity<Object> responseEntity = restTemplate.exchange(requestUrl, HttpMethod.GET, httpEntity, Object.class);
resultCode = responseEntity.getStatusCode();
} catch (HttpClientErrorException e) {
resultCode = e.getStatusCode();
}
return resultCode;

但它总是给我 200 OK 状态代码,无论我提供什么凭据,无论我正在测试什么 api。我还尝试了以下操作(没有任何凭据),由于某种原因,响应代码也是 200 OK。

    HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Object> httpEntity = new HttpEntity<>(headers);
ResponseEntity<String> responseEntity = restTemplate.exchange(adminPageUrl, HttpMethod.GET, httpEntity, String.class);

我错过了什么吗?为什么剩余模板不会因 403 错误或至少 302 错误( header 中的位置)而失败?

也尝试了以下方法,结果是一样的

    URL u = new URL(getPageUrl(page));
HttpURLConnection huc = (HttpURLConnection) u.openConnection();
String token = username + ":" + password;
String authorizationValue = "Base " + new String(Base64.encode(token.getBytes()));
huc.setRequestProperty("Authorization", authorizationValue);
huc.setRequestMethod("GET");
huc.connect();
return huc.getResponseCode()

最佳答案

您可以通过创建如下内容来防止 RestTemplate 隐藏重定向:

    RestTemplate restTemplate = new RestTemplate(new SimpleClientHttpRequestFactory() {
@Override
protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException
{
super.prepareConnection(connection, httpMethod);
connection.setInstanceFollowRedirects(false);
}
});

更新:通常来说,为 API 建立一个单独的 HTTP 链是个好主意,例如:

<http pattern="/admin/api/.+" request-matcher="regex" create-session="stateless">
<intercept-url pattern="/admin/api/.+" access="hasRole('ADMIN')"/>
<http-basic/>
<csrf disabled="true" />
</http>
<http pattern="/admin.*" request-matcher="regex">
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
<logout logout-url="/admin/logout" success-handler-ref="customLogoutSuccessHandler"/>
<form-login login-page="/admin/login" login-processing-url="/admin/login"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-handler-ref="customFailureHandler"/>
</http>

关于java - 请求安全页面时,RestTemplate 不会因 403 或 302 错误而失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/32455171/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com