[英]Is there a way to work around RatpackPac4j#requireAuth not setting the WWW-Authenticate header?
When testing Pac4j (2.x) authentication in the context of a Ratpack (1.5.x) app, I find that when I use this handler: 在Ratpack(1.5.x)应用程序的上下文中测试Pac4j(2.x)身份验证时,发现使用此处理程序时会发现:
all RatpackPac4j.requireAuth(HeaderClient)
...Unauthorised requests get rejected correctly with a 401 status, and RFC-7235 states that a WWW-Authenticate
header should be added, and it is not. ...未经授权的请求会被正确拒绝,状态为401, RFC-7235指出应添加
WWW-Authenticate
标头,而不能。
I raised an issue on the RatpackPac4j tracker here , but it was closed as (I infer) "won't fix" since Pac4j v3 implements this properly. 我在这里对RatpackPac4j跟踪器提出了一个问题,但是由于(我推断)“无法解决”,因此它已关闭,因为Pac4j v3正确实现了此目的。 And RatpackPac4j has not been upgraded to work with Pac4j v3 yet.
RatpackPac4j尚未升级为可与Pac4j v3一起使用。
So: is it possible to insert something which post-process all responses to, for example, conditionally add a header based on the response? 所以:是否可以插入一些东西来对所有响应进行后处理,例如,根据响应有条件地添加标题?
Aside - I'm using the following versions in my gradle config: 除了-我在gradle配置中使用以下版本:
compile group: 'io.ratpack', name: 'ratpack-groovy', version: '1.5.4'
compile group: 'org.slf4j', name: 'slf4j-simple', version: '1.7.25'
// compile ratpack.dependency('pac4j') // Don't use this, because we need the org.pac4j version
compile group: 'org.pac4j', name: 'ratpack-pac4j', version: '2.0.0'
compile group: 'org.pac4j', name: 'pac4j-core', version: '2.2.1'
compile group: 'org.pac4j', name: 'pac4j-jwt', version: '2.2.1'
compile group: 'org.pac4j', name: 'pac4j-http', version: '2.2.1'
Thanks to John Engelman in the Ratpack Slack channel, here is a work-around: use Response#beforeSend
感谢Ratpack Slack频道中的John Engelman,这是一种变通方法:使用
Response#beforeSend
handlers {
all {
response.beforeSend { response ->
if (response.status.code == 401) {
response.headers.set('WWW-Authenticate', 'bearer realm="authenticated api"')
}
}
}
}
Note that this handler must be inserted before any others which may generate a 401 response or the callback will not be bound when they are triggered. 请注意,必须在可能会产生401响应的任何其他处理程序之前插入此处理程序,否则触发它们时将不绑定回调。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.