通过 Jersey Spring 引导应用程序中的 Spring 安全禁用重定向
Disable Redirect by Spring Security in Jersey Spring Boot Application
我正在拔头发。环境是一个 JAXRS(使用 Jersey)Restful 通过 Spring Boot 配置的应用程序。我正在开发一个与微服务通信的编排层。编排层使用 RestTemplate 执行对微服务的调用。
出于某种原因,当编排服务返回错误级别状态代码时,Spring 安全尝试 post 到 http://localhost:65448/error。我不知道是谁在做这件事。我打开了日志记录,通过代码进行追踪,搜索了互联网,并阅读了所有文档...我无法确定 class 试图执行此操作的原因。我无法阻止它。
这是我的 Spring 安全位配置 (groovy):
@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Inject
private UserService userService
@Inject
private StatelessAuthenticationFilter statelessAuthenticationFilter
void configure(WebSecurity web) throws Exception {
}
void configure(HttpSecurity http) throws Exception {
http
.anonymous().and()
// .servletApi().and()
.headers().cacheControl().and()
.exceptionHandling().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.rememberMe().disable()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.jee().disable()
.logout().disable()
//.openidLogin().disable()
.authorizeRequests()
.filterSecurityInterceptorOncePerRequest(true)
// Allow anonymous logins
.antMatchers('/security/authc').permitAll()
// All other request need to be authenticated
.anyRequest().authenticated().and()
// Custom Token based authentication based on the header previously given to the client
.addFilterAfter(statelessAuthenticationFilter, BasicAuthenticationFilter)
}
void configure(AuthenticationManagerBuilder auth) {
auth
.userDetailsService(userService)
.passwordEncoder(passwordEncoder())
}
@Bean
PasswordEncoder passwordEncoder() {
new BCryptPasswordEncoder()
}
@Bean
AuthenticationManager authenticationManagerBean() {
super.authenticationManagerBean()
}
}
测试代码通过 post 对 authc 端点的授权 header 执行简单的 rest-based 身份验证。这按预期工作,除非编排服务 returns 错误级别状态代码。
这里是相关的日志:
[2015-06-03 07:07:15.621] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server has received a request on thread qtp1012776440-21
1 > POST http://localhost:65448/security/authc
1 > Accept: */*
1 > Accept-Encoding: gzip,deflate
1 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
1 > Connection: keep-alive
1 > Content-Length: 0
1 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
1 > Host: localhost:65448
1 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
[2015-06-03 07:07:15.753] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server responded with a response on thread qtp1012776440-21
1 < 400
[2015-06-03 07:07:15.757] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server has received a request on thread qtp1012776440-21
2 > POST http://localhost:65448/error
2 > Accept: */*
2 > Accept-Encoding: gzip,deflate
2 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
2 > Connection: keep-alive
2 > Content-Length: 0
2 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
2 > Host: localhost:65448
2 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
[2015-06-03 07:07:15.781] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server responded with a response on thread qtp1012776440-21
2 < 404
2 < Content-Type: application/json
HTTP/1.1 404 Not Found
Date: Wed, 03 Jun 2015 11:07:15 GMT
Pragma: no-cache
X-Application-Context: Test:test:0
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.2.9.v20150224)
在我把电脑扔掉之前请帮忙window。
干杯
这是ErrorMvcAutoConfiguration造成的。您可以禁用它(通过注释 EnableAutoConfiguration 上的排除)或更改其路径,如果您有自定义错误路径,使用 属性 error.path.
嗨,
这是 Jetty 的默认行为,当服务器响应状态代码 >=400(404 除外)并且响应没有实体时。您可以 "disable" 通过设置一个空的错误页面列表来实现此行为
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
// On skippe la redirection /error realise
container.setErrorPages(Sets.<ErrorPage> newConcurrentHashSet());
}
};
}
尽管有此解决方法,服务器仍会发送带有 XML 正文的真实 http 状态(请参阅 ErrorHandler)
暗流也是如此。
我正在拔头发。环境是一个 JAXRS(使用 Jersey)Restful 通过 Spring Boot 配置的应用程序。我正在开发一个与微服务通信的编排层。编排层使用 RestTemplate 执行对微服务的调用。
出于某种原因,当编排服务返回错误级别状态代码时,Spring 安全尝试 post 到 http://localhost:65448/error。我不知道是谁在做这件事。我打开了日志记录,通过代码进行追踪,搜索了互联网,并阅读了所有文档...我无法确定 class 试图执行此操作的原因。我无法阻止它。
这是我的 Spring 安全位配置 (groovy):
@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Inject
private UserService userService
@Inject
private StatelessAuthenticationFilter statelessAuthenticationFilter
void configure(WebSecurity web) throws Exception {
}
void configure(HttpSecurity http) throws Exception {
http
.anonymous().and()
// .servletApi().and()
.headers().cacheControl().and()
.exceptionHandling().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.rememberMe().disable()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.jee().disable()
.logout().disable()
//.openidLogin().disable()
.authorizeRequests()
.filterSecurityInterceptorOncePerRequest(true)
// Allow anonymous logins
.antMatchers('/security/authc').permitAll()
// All other request need to be authenticated
.anyRequest().authenticated().and()
// Custom Token based authentication based on the header previously given to the client
.addFilterAfter(statelessAuthenticationFilter, BasicAuthenticationFilter)
}
void configure(AuthenticationManagerBuilder auth) {
auth
.userDetailsService(userService)
.passwordEncoder(passwordEncoder())
}
@Bean
PasswordEncoder passwordEncoder() {
new BCryptPasswordEncoder()
}
@Bean
AuthenticationManager authenticationManagerBean() {
super.authenticationManagerBean()
}
}
测试代码通过 post 对 authc 端点的授权 header 执行简单的 rest-based 身份验证。这按预期工作,除非编排服务 returns 错误级别状态代码。
这里是相关的日志:
[2015-06-03 07:07:15.621] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server has received a request on thread qtp1012776440-21
1 > POST http://localhost:65448/security/authc
1 > Accept: */*
1 > Accept-Encoding: gzip,deflate
1 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
1 > Connection: keep-alive
1 > Content-Length: 0
1 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
1 > Host: localhost:65448
1 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
[2015-06-03 07:07:15.753] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server responded with a response on thread qtp1012776440-21
1 < 400
[2015-06-03 07:07:15.757] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server has received a request on thread qtp1012776440-21
2 > POST http://localhost:65448/error
2 > Accept: */*
2 > Accept-Encoding: gzip,deflate
2 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
2 > Connection: keep-alive
2 > Content-Length: 0
2 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
2 > Host: localhost:65448
2 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
[2015-06-03 07:07:15.781] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server responded with a response on thread qtp1012776440-21
2 < 404
2 < Content-Type: application/json
HTTP/1.1 404 Not Found
Date: Wed, 03 Jun 2015 11:07:15 GMT
Pragma: no-cache
X-Application-Context: Test:test:0
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.2.9.v20150224)
在我把电脑扔掉之前请帮忙window。
干杯
这是ErrorMvcAutoConfiguration造成的。您可以禁用它(通过注释 EnableAutoConfiguration 上的排除)或更改其路径,如果您有自定义错误路径,使用 属性 error.path.
嗨,
这是 Jetty 的默认行为,当服务器响应状态代码 >=400(404 除外)并且响应没有实体时。您可以 "disable" 通过设置一个空的错误页面列表来实现此行为
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
// On skippe la redirection /error realise
container.setErrorPages(Sets.<ErrorPage> newConcurrentHashSet());
}
};
}
尽管有此解决方法,服务器仍会发送带有 XML 正文的真实 http 状态(请参阅 ErrorHandler)
暗流也是如此。