stackoom
  简体   繁体   中英

Spring Boot and security: How to extend response for 302 status code?

 原文  2017-10-06 14:13:06       java/ spring/ http/ spring-boot/ oauth-2.0

Question

Setup:

  • Spring Boot application
  • OAuth2 security
  • ReactJS for UI implementation

Use case:

  • Login to application
  • open other tab with same application in same browser
  • Logout from application in one of the tabs, user are redirected to Login view
  • Go to first tab(user already logout and if I refresh page I will get login form) and do any action that triggers POST/PUT/PATCH request. Example of request and response below:

Request: 

Request URL:http://localhost:8080/api/info
Request Method:PUT
Status Code:302 Found
Remote Address:[::1]:8080
Referrer Policy:no-referrer-when-downgrade
accept:application/json
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8,sv;q=0.6,ru;q=0.4,uk;q=0.2,fr;q=0.2
Cache-Control:no-cache
Connection:keep-alive
Content-Length:66
Content-Type:application/json
Cookie:_ga=GA1.1.1868465923.1505828166; _gid=GA1.1.612220229.1507272075; session=e4oSW4Kq; prod_user_session=4d6b615f-521704; user_session=g3ggLxJDomyZ
Host:localhost:8080
mode:cors
Origin:http://localhost:8080
Pragma:no-cache
Referer:http://localhost:8080/profile
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Response: 

Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Connection:keep-alive
Content-Length:0
Date:Fri, 06 Oct 2017 12:12:26 GMT
Expires:0
Location:http://localhost:8080/login
Pragma:no-cache
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-XSS-Protection:1; mode=block

After this response system triggers PUT request to http://localhost:8080/login and fails because PUT method not allowed for http://localhost:8080/login request.

Question:

I understands that I'm getting 302 status and Location:http://localhost:8080/login header because I'm already logged out. I want extend response for this case with JSON body or at least ensure that for this case I will get 401 Unauthorised status code instead of 302.

1 answers

solution1
 1 ACCPTED  2017-10-06 14:43:07

If I understood your question correctly, it sounds like you need two different responses for unauthorized requests coming via a regular webpage load ( produces="text/html" ) vs an AJAX call ( produces="application/json" ). Currently your unauthorized AJAX call gets redirected to the login page which is a legit page, hence no 401 response code. Here's an example of a setup that accomplishes what you want using XML configs Spring Security Ajax login and @Configuration config https://stackoverflow.com/a/27300215/1718213

Another option that is even more user-friendly is to use Spring's WebSocket support to signal logout events to all the tabs a given user might have open (across all devices and browsers) that would trigger each tab to redirect to the login page.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Boot API returning HTTP 302 status code How can i custom filter for 302 Status Code in spring mvc java and response.redirect to custom page? Spring Boot: disable security for status exception code How to change Status code in spring boot error response? How to avoid 302 response on https spring security unit test? Spring Security: how to change HTTP Status for response? Return HTTP response with status code 202 in Spring Boot Spring Boot Security OAuth2: WebSecurityConfigurerAdapter: 302 Redirect to /error How to disable 302 redirect in Spring Boot application Spring Security 302 redirection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM