通过Spring Security在Jersey Spring Boot应用程序中禁用重定向
[英]Disable Redirect by Spring Security in Jersey Spring Boot Application
问题描述
I am pulling my hair out. 
我正在拔头发。 The environment is a JAXRS (using Jersey) Restful application configured via Spring Boot. 该环境是通过Spring Boot配置的JAXRS(使用Jersey)Restful应用程序。 I am developing an orchestration layer that communicates with microservices. 我正在开发与微服务通信的业务流程层。 The orchestration layer uses RestTemplate to perform the calls to the microservices. 编排层使用RestTemplate执行对微服务的调用。
For some reason, when there is an error level status code returned from the orchestration service, Spring Security attempts to post to http://localhost:65448/error . 由于某种原因,当业务流程服务返回错误级别状态代码时,Spring Security尝试发布到http:// localhost:65448 / error 。 I have NO idea who is doing this. 我不知道谁在这样做。 I have turned up logging, traced through the code, scoured the internet, and read all the documentation...I cannot determine what class is attempting to do this. 我已经打开了日志记录,通过代码进行了跟踪,浏览了互联网,并阅读了所有文档...我无法确定哪个类正在尝试这样做。 I cannot stop it. 我不能阻止它。
Here is my Spring Configuration (groovy) for the security bits: 这是我的Spring Configuration(groovy)中的安全性位:
@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Inject
private UserService userService
@Inject
private StatelessAuthenticationFilter statelessAuthenticationFilter
void configure(WebSecurity web) throws Exception {
}
void configure(HttpSecurity http) throws Exception {
http
.anonymous().and()
// .servletApi().and()
.headers().cacheControl().and()
.exceptionHandling().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.rememberMe().disable()
.csrf().disable()
.formLogin().disable()
.httpBasic().disable()
.jee().disable()
.logout().disable()
//.openidLogin().disable()
.authorizeRequests()
.filterSecurityInterceptorOncePerRequest(true)
// Allow anonymous logins
.antMatchers('/security/authc').permitAll()
// All other request need to be authenticated
.anyRequest().authenticated().and()
// Custom Token based authentication based on the header previously given to the client
.addFilterAfter(statelessAuthenticationFilter, BasicAuthenticationFilter)
}
void configure(AuthenticationManagerBuilder auth) {
auth
.userDetailsService(userService)
.passwordEncoder(passwordEncoder())
}
@Bean
PasswordEncoder passwordEncoder() {
new BCryptPasswordEncoder()
}
@Bean
AuthenticationManager authenticationManagerBean() {
super.authenticationManagerBean()
}
}
The test code is performing a simple rest-based authentication by posting an Authorization header to the authc endpoint. 测试代码通过将Authorization标头发布到authc端点来执行基于休息的简单身份验证。 This works as expected unless the orchestration service returns an error level status code. 除非业务流程服务返回错误级别状态代码,否则这将按预期工作。
Here is the relevant logging: 这是相关的日志记录:
[2015-06-03 07:07:15.621] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server has received a request on thread qtp1012776440-21
1 > POST http://localhost:65448/security/authc
1 > Accept: */*
1 > Accept-Encoding: gzip,deflate
1 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
1 > Connection: keep-alive
1 > Content-Length: 0
1 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
1 > Host: localhost:65448
1 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
[2015-06-03 07:07:15.753] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server responded with a response on thread qtp1012776440-21
1 < 400
[2015-06-03 07:07:15.757] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server has received a request on thread qtp1012776440-21
2 > POST http://localhost:65448/error
2 > Accept: */*
2 > Accept-Encoding: gzip,deflate
2 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
2 > Connection: keep-alive
2 > Content-Length: 0
2 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
2 > Host: localhost:65448
2 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
[2015-06-03 07:07:15.781] boot - 47784 INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server responded with a response on thread qtp1012776440-21
2 < 404
2 < Content-Type: application/json
HTTP/1.1 404 Not Found
Date: Wed, 03 Jun 2015 11:07:15 GMT
Pragma: no-cache
X-Application-Context: Test:test:0
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.2.9.v20150224)
Please help before I toss my computer out the window. 在我将计算机扔出窗户之前,请提供帮助。
Cheers 干杯
2 个解决方案
解决方案1
1 2015-06-03 21:46:21
This is caused by the ErrorMvcAutoConfiguration . 这是由ErrorMvcAutoConfiguration引起的。 You can either disable it (via exclude on the annotation EnableAutoConfiguration ) or change its path, if you have a custom error path, with the property error.path . 您可以禁用它(通过在注释EnableAutoConfiguration上排除),也可以使用属性error.path更改其路径(如果您具有自定义错误路径)。
解决方案2
0 已采纳 2015-06-30 12:11:51
Hy, HY,
This the default behaviour of Jetty when the server responds with a status code >=400 (except for 404 ) and the response has no entity. 当服务器使用状态代码> = 400(404除外)响应并且响应没有实体时,这是Jetty的默认行为。 You can "disable" this behaviour by settings an empty error pages list 您可以通过设置一个空的错误页面列表来“禁用”此行为
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return new EmbeddedServletContainerCustomizer() {
@Override
public void customize(ConfigurableEmbeddedServletContainer container) {
// On skippe la redirection /error realise
container.setErrorPages(Sets.<ErrorPage> newConcurrentHashSet());
}
};
}
Despite of this workaround, the server will send the real http status with a XML body (see ErrorHandler) 尽管有这种解决方法,服务器仍将使用XML正文发送实际的http状态(请参见ErrorHandler)
This is also the case for undertow. 拖曳也是如此。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.