登录
当前位置: 首页 > 知识库问答 >
问题:

Spring Websecurity在控制器中抛出异常时在“忽略”资源上抛出401

马侯林
2023-03-14 
@EnableResourceServer
@EnableWebSecurity
@Configuration
public class WebConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(WebSecurity web) {
        web.ignoring().mvcMatchers(
            "/actuator/info",
            "/actuator/health",
            "/someArbitraryPath/**");
    }
}

@RestController
@RequestMapping("/someArbitraryPath")
public class SomeArbitraryApiController {
    private final SomeArbitraryService service;
    private final SomeArbitraryDtoMapper dtoMapper;

    public SomeArbitraryApiController(SomeArbitraryService service, SomeArbitraryDtoMapper dtoMapper) {
        this.service = service;
        this.dtoMapper = dtoMapper;
    }

    @GetMapping(value = "/someDtosList", params = {"page", "size"})
    @Transactional(readOnly = true)
    public SomePageDto getSomeDtoPage(
                @RequestParam(value = "page", required = false, defaultValue = "0") int page,
                @RequestParam(value = "size", required = false, defaultValue = "250") int size) {
        Page<SomeObject> someDtoPage = service.searchPageOfSomeObjects(page, size);
        List<SomeDto> someDtoList = dtoMapper.someObjectsToDtos(someDtoPage.getContent());
        PageDto pageDto = new PageDto(size, someDtoPage.getTotalElements(), someDtoPage.getTotalPages(), page);
        return new SomePageDto(someDtoList, pageDto);
    }

    @GetMapping("/someDtosList/{dtoId}")
    @Transactional(readOnly = true)
    public SomeDto getSomeDtoById(@PathVariable(value = "dtoId") String dtoId) {
        return dtoMapper.objectToDto(
                service.getSomeObjectById(dtoId)
        );
    }
}

两者的最后一个调用,即检索特定SomeDto对象的调用,可以抛出ResourceNotFoundException,该调用被配置为返回ResponseStatus NOT_Found:

import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.ResponseStatus;

@ResponseStatus(value = HttpStatus.NOT_FOUND)
public class ResourceNotFoundException extends RuntimeException {
    public ResourceNotFoundException(String resourceName, String fieldName, Object fieldValue) {
        super(String.format("%s not found with %s : '%s'", resourceName, fieldName, fieldValue));
    }
}

但是,当调用此“未安全”时,它不会返回404 HTTP状态--它会返回401未授权:

{
    "error": "unauthorized",
    "error_description": "Full authentication is required to access this resource"
}

但是,当我在RestController中显式捕获异常并将HttpServletResponse对象上的响应状态设置为

response.setStatus(HttpStatus.SC_NOT_FOUND);

当我用一个有效的JWT令牌调用这个endpoint时,它确实用正确的正文返回给我正确的404错误。

我做错了什么?

共有1个答案

子车俊哲
2023-03-14

一个深入的介绍调试日志进一步,我发现了问题。

当抛出一个带有HTTP_STATUS代码的异常时,Spring实际上会重定向到/error。因此为了安全起见,必须将该endpoint添加到忽略的endpoint中。

2019-04-18 15:47:36,950 DEBUG o.s.web.servlet.DispatcherServlet - Completed 404 NOT_FOUND, headers={} 
2019-04-18 15:47:36,958 DEBUG o.a.c.c.C.[Tomcat].[localhost] - Processing ErrorPage[errorCode=0, location=/error] 
2019-04-18 15:47:36,962 DEBUG o.a.catalina.core.StandardWrapper -   Returning non-STM instance 
2019-04-18 15:47:36,962 DEBUG s.d.s.w.PropertySourcedRequestMappingHandlerMapping - looking up handler for path: /error 
2019-04-18 15:47:36,968 DEBUG s.d.s.w.PropertySourcedRequestMappingHandlerMapping - looking up handler for path: /error 
2019-04-18 15:47:36,968 DEBUG s.d.s.w.PropertySourcedRequestMappingHandlerMapping - looking up handler for path: /error 
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/v2/api-docs' 
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-resources/configuration/ui' 
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-resources' 
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-resources/configuration/security' 
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/swagger-ui.html' 
2019-04-18 15:47:36,969 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/webjars/**' 
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter' 
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' 
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter' 
2019-04-18 15:47:36,970 DEBUG o.s.security.web.FilterChainProxy - /error at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter' 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET] 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/error'; against '/logout' 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST] 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'POST /logout' 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT] 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'PUT /logout' 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE] 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /error' doesn't match 'DELETE /logout' 
2019-04-18 15:47:36,971 DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found 
2019-04-18 15:47:36,971 DEBUG o.s.security.web.FilterChainProxy - /error at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter' 
2019-04-18 15:47:36,971 DEBUG o.s.s.o.p.a.BearerTokenExtractor - Token not found in headers. Trying request parameters. 
2019-04-18 15:47:36,971 DEBUG o.s.s.o.p.a.BearerTokenExtractor - Token not found in request parameters.  Not an OAuth2 request. 
2019-04-18 15:47:36,971 DEBUG o.s.s.o.p.a.OAuth2AuthenticationProcessingFilter - No token in request, will continue chain. 
2019-04-18 15:47:36,971 DEBUG o.s.security.web.FilterChainProxy - /error at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' 
2019-04-18 15:47:36,971 DEBUG o.s.security.web.FilterChainProxy - /error at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' 
2019-04-18 15:47:36,972 DEBUG o.s.security.web.FilterChainProxy - /error at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 
2019-04-18 15:47:36,973 DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@c875a1a4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 
2019-04-18 15:47:36,973 DEBUG o.s.security.web.FilterChainProxy - /error at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' 
2019-04-18 15:47:36,973 DEBUG o.s.security.web.FilterChainProxy - /error at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter' 
2019-04-18 15:47:36,973 DEBUG o.s.security.web.FilterChainProxy - /error at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor' 
2019-04-18 15:47:36,974 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /error; Attributes: [#oauth2.throwOnError(authenticated)] 
2019-04-18 15:47:36,974 DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@c875a1a4: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS 
2019-04-18 15:47:36,979 DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@789f882a, returned: -1 
2019-04-18 15:47:36,982 DEBUG o.s.b.a.a.listener.AuditListener - AuditEvent [timestamp=2019-04-18T13:47:36.981Z, principal=anonymousUser, type=AUTHORIZATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null, type=org.springframework.security.access.AccessDeniedException, message=Access is denied}] 
2019-04-18 15:47:36,982 DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point 
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:233)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:124)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:101)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:712)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:461)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
    at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:394)
    at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:253)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

多谢你的指路明灯,杜尔!

 类似资料:
  • Java:抛出异常会抛出异常吗?

    抛出异常的行为是否可能抛出不同的异常? 为了抛出异常,必须(可选地)分配新对象,并调用其构造函数(隐式调用fillinstacktrace)。在某些情况下,听起来像addSupressed也被称为。那么如果没有足够的内存会发生什么呢?JVM是否需要预分配内置异常?例如,(1/0)会抛出OutOfMemoryError而不是ArithmeticException吗? 此外,构造函数是一个方法调用,因

  • Hibernate:在@PostUpdate中抛出异常

    我在Spring/Hibernate网络应用程序上有以下代码: 实体: 听众: 此代码在实体上每次更新或持久化后调用。问题在于,当为负数量引发异常时,hibernate将上的

  • PyDev在重新打开项目时抛出异常“资源不存在

    在我的RCP应用程序中,当我关闭并重新打开PyDev项目时,PyDev会在控制台上抛出一个异常,抱怨项目资源不存在。之后一切似乎都能正常工作,但我当然希望避免向我的用户显示一个虚假的异常。 通过对堆栈跟踪的导航,我可以看出,PyDev的内容提供者希望项目资源存在,但它不存在。当我检测到一个项目关闭时,也许我应该调用PyDev中的某个API?还是这是个窃听器?我在5.1.2版本上注意到了这个问题,但

  • Spring MVC:确定哪个控制器在@ExceptionHandler中抛出了异常

    我用Spring Boot和百里香SpringMVC。我有返回百里香模板名称的普通控制器和用< code>@RepsonseBody注释的REST控制器。 假设我有一个< code > EntityNotFoundException ,它是由控制器调用的某个代码抛出的。如果抛出,我想分别为REST控制器返回一个404状态代码和一个错误页面或错误消息。 我当前对普通控制器的设置: 对于REST控制程

  • Java 抛出异常时中断

    问题内容: Visual Studio有一个选项,可以在引发未处理的异常时自动将其插入调试器,Eclipse是否具有类似的功能? 问题答案: 即使未捕获到这些异常,您也可以定义要在其上创建断点的确切的异常列表(应该等效于“ unhandled”)

  • 是否需要抛出异常而抛出异常?

    问题内容: 考虑以下代码: 无需添加方法签名即可编译该代码。(它与同样表现到位,太)。 我理解为什么 可以 安全地运行它,因为实际上不能将其引发在块中,因此不能引发已检查的异常。我有兴趣知道在何处指定此行为。 并非永远都不会达到目标:以下代码也会编译: 但是,如果抛出一个检查的异常,它不会像我期望的那样编译: 在JLS Sec 11.2.2中 ,它说: 一,其抛出的表达式语句(§14.18)具有静

相关问答

在Java中抛出匿名异常在打印抛出的异常时从捕获块抛出建议如何获取在spring错误控制器中抛出的异常类在嵌套对象上抛出_InternalLinkedHashMap异常抛出选中异常与抛出包装的RuntimeException

相关文章

抛出异常时的Java最佳实践:抛出核心Java异常抛出异常以控制流-代码有异味吗?在Python中手动引发(抛出)异常转换器类抛出异常java.lang.IllegalArgumentException抛出空指针异常

相关阅读

TestNG忽略测试Java异常处理机制4.3 Verilog 时序控制Pygame Time时间控制HttpClient忽略证书错误

相关工具

资源星球iPhone XIB资源批量转换iPad蓝牙远程控制安卓控制电脑DRBD 管理控制台

相关文档

资源大全中文版IIS 管理控制器帮助手册 v6.0Windows 访问控制制造开源软件JCL 作业控制语言 中文文档
快捷导航: 新手教程 算法原理 架构设计 Java进阶 数据库进阶 大厂专栏 面试经验 编程笔记 编程问答 所有专题 文档资料 工具软件 电子书籍 小牛导航
在线工具: 房贷计算器 个税计算器 Linux命令查询 Json格式化 正则表达式 颜色转换 AES加解密 SHA1加密 MD5加密 毒鸡汤 字数统计 随机密码生成 进制转换 Base64编解码 励志句子
Copyright © 2019-2024 小牛知识库@xnip.cn. All Rights Reserved.