具有多个 HTTP 代码状态的 ResponseBodyEmitter
[英]ResponseBodyEmitter with mutliple HTTP code status
问题描述
For some security reason, we have added a common spring filter that perform a cross-cutting check and drop a 403 when a security rule is broken.
出于某种安全原因,我们添加了一个常见的 spring 过滤器,该过滤器执行横切检查并在违反安全规则时丢弃 403。
The solution is working fine in case of synchronous endpoint (ie returning a ResponseBody<SomeDTO> )该解决方案在同步端点的情况下工作正常(即返回ResponseBody<SomeDTO> )
However, we have several asynchronous endpoints which return ResponseBodyEmitter .但是,我们有几个返回ResponseBodyEmitter的异步端点。
If (checks == false){
// Then the filter should erase the response body and override the http status to 403.
}
For asynchronous method,the checks are performed during the response sending.对于异步方法,在响应发送期间执行检查。
Hence the endpoint may send at the beginning 200 with a response body and then drops the connection with 403 and empty body.因此,端点可能会在开始时发送 200 响应正文,然后断开与 403 和空正文的连接。
Question: From design wise, is this behavior coherent with REST?问题:从设计角度来看,这种行为是否与 REST 一致? (ie OK OK OK and then FORBIDDEN) (即 OK OK OK 然后 FORBIDDEN)
1 个解决方案
解决方案1
0 2022-08-29 17:40:12
A HTTP request can only return 1 HTTP response, so "OK OK OK and then FORBIDDEN" is not actually possible.一个 HTTP 请求只能返回 1 个 HTTP 响应,所以“OK OK OK 然后 FORBIDDEN”实际上是不可能的。 So REST doesn't care if you have some internal state that defaults to 200, eventually becomes 403 and then the last one gets sent back to the client.所以 REST 不在乎你是否有一些内部 state 默认为 200,最终变为 403,然后最后一个被发送回客户端。 HTTP and REST doesn't know what goes on in your server leading to that 403. HTTP 和 REST 不知道导致 403 的服务器发生了什么。
However, if you have some mechanism that does permission checks after processing the entire request, and if the user doesn't have permission it erases the response body and sets a 403 response, that only seems reasonable for safe methods (eg: read-only methods like GET).但是,如果您有某种机制在处理整个请求后进行权限检查,并且如果用户没有权限,它会删除响应正文并设置 403 响应,这对于安全方法来说似乎是合理的(例如:只读GET 等方法)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.