OAuth2AuthorizationRequestRedirectFilter 给出 500 给定不存在的客户端注册 ID
OAuth2AuthorizationRequestRedirectFilter gives 500 given not existing client registration Id
当调用/oauth2/authorization/not-existed-registration时,这个returns 500。应该return 404吗?
将此值从 500 更改为 400 的建议方法是什么?或者它是 500 的原因是什么?
源代码:
try {
OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestResolver.resolve(request);
if (authorizationRequest != null) {
this.sendRedirectForAuthorization(request, response, authorizationRequest);
return;
}
}
catch (Exception ex) {
this.unsuccessfulRedirectForAuthorization(request, response, ex);
return;
}
private void unsuccessfulRedirectForAuthorization(HttpServletRequest request, HttpServletResponse response,
Exception ex) throws IOException {
this.logger.error(LogMessage.format("Authorization Request failed: %s", ex, ex));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(),
HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
}
引用自 Spring 安全存储库中的 this issue
As per spec, if the Authorization Request contains invalid parameters or missing parameters than the status should be 400.
However, if an incorrect clientRegistrationId is sent than a status of 500 is returned. The reason for this is because at this point the Authorization Request has not been triggered by the client and the client is unable to resolve the requested ClientRegistration because the clientRegistrationId does not exist in the ClientRegistrationRepository. IMO this use case is likely a configuration/setup error by the user so it signals to the user to correct the configuration.
在我们的例子中,我们可以随意输入 registrationId,所以我仍然决定将其设置为 return 400,因为 API 用户在看到 500 和 API用户看到400不会抱怨,自己摸索。
如果有人遇到同样的问题,这是我的解决方案。
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI
class MyWebSecurityConfigurerAdapter @Autowired constructor(
) : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
val validator = ValidationFilter()
http
.requestMatchers()
.antMatchers("$DEFAULT_AUTHORIZATION_REQUEST_BASE_URI/**", DEFAULT_FILTER_PROCESSES_URI)
.and()
.addFilterBefore(
validator,
OAuth2AuthorizationRequestRedirectFilter::class.java
)
.oauth2Login()
}
}
过滤器
class ValidationFilter(val registrationRepository: RegistrationRepository) : OncePerRequestFilter() {
override fun doFilterInternal(
request: HttpServletRequest,
response: HttpServletResponse,
filterChain: FilterChain
) {
val registrationId = request.requestURI.split("/").last()
val findById = registrationRepository.findById(registrationId)
if (findById.isEmpty) {
response.sendError(
HttpStatus.NOT_FOUND.value(),
"Registration $registrationId is not configured. Please configure $registrationId before using"
)
} else {
filterChain.doFilter(request, response)
}
}
}
当调用/oauth2/authorization/not-existed-registration时,这个returns 500。应该return 404吗?
将此值从 500 更改为 400 的建议方法是什么?或者它是 500 的原因是什么?
源代码:
try {
OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestResolver.resolve(request);
if (authorizationRequest != null) {
this.sendRedirectForAuthorization(request, response, authorizationRequest);
return;
}
}
catch (Exception ex) {
this.unsuccessfulRedirectForAuthorization(request, response, ex);
return;
}
private void unsuccessfulRedirectForAuthorization(HttpServletRequest request, HttpServletResponse response,
Exception ex) throws IOException {
this.logger.error(LogMessage.format("Authorization Request failed: %s", ex, ex));
response.sendError(HttpStatus.INTERNAL_SERVER_ERROR.value(),
HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
}
引用自 Spring 安全存储库中的 this issue
As per spec, if the Authorization Request contains invalid parameters or missing parameters than the status should be 400.
However, if an incorrectclientRegistrationIdis sent than a status of 500 is returned. The reason for this is because at this point the Authorization Request has not been triggered by the client and the client is unable to resolve the requestedClientRegistrationbecause theclientRegistrationIddoes not exist in theClientRegistrationRepository. IMO this use case is likely a configuration/setup error by the user so it signals to the user to correct the configuration.
在我们的例子中,我们可以随意输入 registrationId,所以我仍然决定将其设置为 return 400,因为 API 用户在看到 500 和 API用户看到400不会抱怨,自己摸索。
如果有人遇到同样的问题,这是我的解决方案。
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.DEFAULT_FILTER_PROCESSES_URI
class MyWebSecurityConfigurerAdapter @Autowired constructor(
) : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
val validator = ValidationFilter()
http
.requestMatchers()
.antMatchers("$DEFAULT_AUTHORIZATION_REQUEST_BASE_URI/**", DEFAULT_FILTER_PROCESSES_URI)
.and()
.addFilterBefore(
validator,
OAuth2AuthorizationRequestRedirectFilter::class.java
)
.oauth2Login()
}
}
过滤器
class ValidationFilter(val registrationRepository: RegistrationRepository) : OncePerRequestFilter() {
override fun doFilterInternal(
request: HttpServletRequest,
response: HttpServletResponse,
filterChain: FilterChain
) {
val registrationId = request.requestURI.split("/").last()
val findById = registrationRepository.findById(registrationId)
if (findById.isEmpty) {
response.sendError(
HttpStatus.NOT_FOUND.value(),
"Registration $registrationId is not configured. Please configure $registrationId before using"
)
} else {
filterChain.doFilter(request, response)
}
}
}