java - 带有错误凭据的 POST 请求返回 405 而不是 401
问题描述
我正在尝试在由 Spring Security 保护的 Spring 中创建新的 POST 端点。端点正在工作。如果我提供正确的数据和凭据,服务器会处理请求并返回 200。如果我提供不正确的凭据,我会得到 405,我期望 401。
我发现了与我的问题类似的东西,但我认为这不是我的情况。同样的问题没有回应。
我还尝试将控制器的请求方法从 POST 更改为 GET,并将请求从 POST 更改为 GET,并且成功了!对于错误的凭据,收到的 401 和正确的 200。
这是我的配置:
控制器
@Controller
@RequestMapping(value = "/api/v1")
@Secured(UserRoles.ROLE_USER)
public class ApiController {
@RequestMapping(value = "/test", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(value = HttpStatus.OK)
@ResponseBody
public ResponseEntity<String> handleRequest(@RequestBody DataBody dataBody, Model model, Locale locale) {
try{
//do something
return new ResponseEntity<>("received", HttpStatus.OK);
} catch (SomeProblemException e) {
return new ResponseEntity<>(e.toString(), HttpStatus.BAD_REQUEST);
}
}
安全上下文
<!-- In Memory Authentication Manager -->
<sec:authentication-manager id="inMemoryAuthManager" >
<sec:authentication-provider>
<sec:user-service properties="WEB-INF/classes/usersRoles.properties"/>
<sec:password-encoder hash="bcrypt" />
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Definition of access rules for API -->
<sec:http use-expressions="true" pattern="/api/**" create-session="stateless"
authentication-manager-ref="inMemoryAuthManager">
<sec:intercept-url pattern="/api/**"
access="hasRole('ROLE_USER')"/>
<sec:http-basic/>
</sec:http>
<!-- Definition of access rules for WEB GUI. -->
<sec:http use-expressions="true"
authentication-manager-ref="inMemoryAuthManager">
<!-- Resources and errors do not need authorization. -->
<sec:intercept-url pattern="/favicon.ico" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/img/**" access="permitAll"/>
<sec:intercept-url pattern="/js/**" access="permitAll"/>
<sec:intercept-url pattern="/fonts/**" access="permitAll"/>
<sec:intercept-url pattern="/error/**" access="permitAll"/>
<sec:intercept-url pattern="/login" access="permitAll"/>
<sec:intercept-url pattern="/login.do" access="permitAll"/>
<!-- The rest of pages need authorized user with role ROLE_USER. -->
<sec:intercept-url pattern="/**"
access="hasRole('ROLE_USER')"/>
<!-- Configuration of login page. -->
<sec:form-login login-page="/login"
login-processing-url="/login.do"
authentication-failure-url="/login?error=true"
default-target-url="/applications" username-parameter="username"
password-parameter="password"/>
<!-- Redirect from logout page. -->
<sec:logout logout-url="/logout"
logout-success-url="/login?logout=true" invalidate-session="true"
delete-cookies="JSESSIONID"/>
<!-- Redirect for forbidden page. -->
<sec:access-denied-handler error-page="/error?err=403"/>
<!-- Port configuration. -->
<sec:port-mappings>
<sec:port-mapping http="8080" https="8443"/>
</sec:port-mappings>
<sec:headers>
<sec:frame-options policy="DENY"/>
<sec:content-type-options/>
<sec:xss-protection block="true"/>
</sec:headers>
</sec:http>
HTTP 请求(邮递员)
POST /api/v1/test HTTP/1.1
Host: localhost:8080
Content-Type: application/json
Authorization: Basic bWFudGfmZjptYW50YQ==
User-Agent: PostmanRuntime/7.15.2
Accept: */*
Host: localhost:8080
{
"something": "data",
"somethingelse": "data"
}
HTTP 响应(邮递员)
Status 405
WWW-Authenticate: Basic realm="Spring Security Application"
Allow: GET
我使用 Spring Security 3.2.10-RELEASE。我尝试启用 Spring Security 日志,但失败了。
解决方案
问题出在这里:
@Controller
public class ErrorController {
@RequestMapping("/error")
public String error(@RequestParam(value = "err", required = false) Integer paramErrorCode, Locale locale,
ModelMap model, HttpServletRequest httpRequest) {
// Do something
}
我有一个控制器,它处理错误屏幕,但它只支持 GET 方法。当我将它更改为 GET 和 POST 时,它开始工作。
解决方案:
@Controller
public class ErrorController {
@RequestMapping(value = "/error" method = {RequestMethod.GET, RequestMethod.POST})
public String error(@RequestParam(value = "err", required = false) Integer paramErrorCode, Locale locale,
ModelMap model, HttpServletRequest httpRequest) {
// Do something
}
如果web.xml不确定是什么原因导致重定向
<error-page>
<location>/error</location>
</error-page>
或 securitycontext.xml
<sec:access-denied-handler error-page="/error?err=403"/>
推荐阅读
- c++11 - 使用 nlohmann 数据类型创建变量失败
- c - 在 C 中再次循环
- html - 如何从我的按钮开始的地方开始文本并且我不想将它流到外面?
- dart - 缩写:bar != null ? 'foo$bar' : 空
- c - 尝试在 C 中进行互相关
- python - 如何将 TensorFlow 层与保持保存的示例数量连接起来?
- php - 我想使用波斯日历,我应该改变什么?
- python - 使用 GridSearchCV 进行目标缩放
- flask - 在 Pycharm 中运行 Flask 但无法输入自定义命令
- python - Discord.py - {ctx.command} 不显示输入的命令