Spring Boot:返回 403 而不是 405
问题描述 投票:0回答:0
我有一个 Spring Boot 应用程序,它是安全性的一部分,我在 ApiSecurityConfig 类中有这个方法:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.exceptionHandling().authenticationEntryPoint(authEntryPoint)
.and()
.authorizeHttpRequests()
.antMatchers(
"/h2-console/**",
"/swagger-resources/**",
"/v2/api-docs",
"/swagger-ui/**",
"/auth/**",
"/user",
"/csrf")
.permitAll()
.anyRequest()
.authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authenticationProvider(authenticationProvider)
.headers(headers -> headers.frameOptions().disable())
.csrf(csrf -> csrf.ignoringAntMatchers("/h2-console/**", "/swagger-ui/**"))
.addFilterBefore(malformedTokenHandler, LogoutFilter.class)
.addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
我需要启用 CSRF 所以我没有使用
http
.csrf().disable();
我还使用一个类来处理这样的异常:
public class RestExceptionHandlingController {
private final HttpServletRequest request;
private final MessageSource messageSource;
public RestExceptionHandlingController(HttpServletRequest request,
MessageSource messageSource) {
this.request = request;
this.messageSource = messageSource;
}
private ResponseEntity<Object> buildResponseEntity(
Exception exception, ExceptionResponseObject exceptionResponseObject) {
if (exception != null) {
exception.printStackTrace();
log.error("Error Message: {}", exception.getMessage());
}
return new ResponseEntity<>(exceptionResponseObject, exceptionResponseObject.getStatus());
}
@ResponseStatus(HttpStatus.BAD_REQUEST)
@ExceptionHandler(MethodArgumentNotValidException.class)
public ResponseEntity<?> handleValidationErrors(MethodArgumentNotValidException exception, Locale locale) {
String methodName = "handlerValidateException";
log.error("{} -> Error fields: {}", methodName, exception.getCause(), exception);
List<ValidationError> validationErrors = new ArrayList<>();
exception.getBindingResult().getAllErrors().forEach((error) -> {
String object = error.getObjectName();
String field = ((FieldError) error).getField();
Object rejectedValue = ((FieldError) error).getRejectedValue();
String errorMessage;
try {
errorMessage = messageSource.getMessage(
(Objects.requireNonNull(error.getDefaultMessage())), null, locale);
} catch (Exception e) {
errorMessage = error.getDefaultMessage();
}
validationErrors.add(new ValidationError(object, field, rejectedValue, errorMessage));
log.error("Validation Error:"
+ " Path {},"
+ " Object {},"
+ " Field {}, "
+ " Rejected Value {},"
+ " Message: {}",
request.getRequestURI(), object, field, rejectedValue, errorMessage);
});
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body(new ExceptionResponseObject(HttpStatus.BAD_REQUEST, "Validation Errors", validationErrors));
}
@ExceptionHandler(BadRequestException.class)
public ResponseEntity<?> handleBadRequest(BadRequestException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.BAD_REQUEST, exception.getMessage(),
exception.getValidationErrors());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(ConflictException.class)
public ResponseEntity<?> handleConflict(ConflictException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.CONFLICT, exception.getMessage(), exception.getValidationErrors());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(NotFoundException.class)
public ResponseEntity<?> handleNotFound(NotFoundException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.NOT_FOUND, exception.getMessage(),
exception.getValidationErrors());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(Exception.class)
public ResponseEntity<Object> handleInternalServerError(Exception exception) {
if (exception instanceof NullPointerException) {
return new ResponseEntity<>(HttpStatus.BAD_REQUEST);
}
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.INTERNAL_SERVER_ERROR, exception.getMessage());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(HttpMessageNotReadableException.class)
public ResponseEntity<Object> handleMissingRequestBody(HttpMessageNotReadableException exception) {
return new ResponseEntity<>("Required request body is missing", HttpStatus.BAD_REQUEST);
}
@ExceptionHandler(HttpRequestMethodNotSupportedException.class)
public ResponseEntity<Object> handleHttpRequestMethodNotSupportedException(
HttpRequestMethodNotSupportedException exception) {
return new ResponseEntity<>("Method not supported", HttpStatus.NOT_IMPLEMENTED);
}
@ExceptionHandler(ServiceUnavailableException.class)
public ResponseEntity<Object> handleServiceUnavailableException(ServiceUnavailableException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.SERVICE_UNAVAILABLE, exception.getMessage());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(BadGatewayException.class)
public ResponseEntity<Object> handleBadGatewayException(BadGatewayException ex) {
log.error("Error handling Bad Gateway exception: {}", ex.getMessage());
ExceptionResponseObject response = new ExceptionResponseObject(HttpStatus.BAD_GATEWAY, "Bad Gateway");
return new ResponseEntity<>(response, HttpStatus.BAD_GATEWAY);
}
@ResponseStatus(HttpStatus.UNAUTHORIZED)
@ExceptionHandler(AuthenticationException.class)
public ResponseEntity<?> handleAuthenticationException(AuthenticationException ex) {
HttpStatus httpStatus = HttpStatus.UNAUTHORIZED;
String message = ex.getLocalizedMessage();
if (ex.getLocalizedMessage().equals("Full authentication is required to access this resource")) {
httpStatus = HttpStatus.FORBIDDEN;
message = "Missing Credentials!";
}
ExceptionResponseObject errorResponse = new ExceptionResponseObject(httpStatus,
"AUTHENTICATION FAILED: " + message);
return ResponseEntity.status(httpStatus).body(errorResponse);
}
@ResponseStatus(HttpStatus.FORBIDDEN)
@ExceptionHandler(AccessDeniedException.class)
public ResponseEntity<?> handleAccessDeniedException(AccessDeniedException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.FORBIDDEN, exception.getMessage());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(ExpiredJwtException.class)
public ResponseEntity<?> handleInvalidToken(ExpiredJwtException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.FORBIDDEN, exception.getMessage());
return buildResponseEntity(exception, exceptionResponseObject);
}
@ExceptionHandler(MalformedJwtException.class)
public ResponseEntity<?> handleInvalidToken(MalformedJwtException exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.FORBIDDEN, exception.getMessage());
return buildResponseEntity(exception, exceptionResponseObject);
@ExceptionHandler(MethodNotAllowedException.class)
public ResponseEntity<?> handleMethodNotAllowedException(MethodNotAllowedException
exception) {
ExceptionResponseObject exceptionResponseObject =
new ExceptionResponseObject(HttpStatus.METHOD_NOT_ALLOWED, "Method not
allowed.");
return buildResponseEntity(exception, exceptionResponseObject);
}
}
我在 CustomAuthenticationEntryPoint 类中也有一个启动方法,如下所示:
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
response.setStatus(HttpStatus.METHOD_NOT_ALLOWED.value());
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
response.getWriter().write("{\"message\": \"Method not allowed\"}");
}
所以当我尝试在邮递员中测试端点时,例如调用 POST 而不是 GET 抛出 403 Forbidden 而不是 405 Method Not Allowed。那么如何解决呢?
最新问题
- 使用实时数据库的 Firebase 身份验证不适用于 C#
- 使用next js和express时如何去掉浏览器中的cookie
- GLPI 门票工作流程
- 为什么我在动态安装和卸载组件时收到错误<Error: Cannot update an unmounted root.>
- 如何根据课程类型返回所有记录?
- 如何编辑/删除 iFrame 内的内容?
- Ansible 循环,以 dict 作为 ansible_loop_var 键/值;错误`参数'release_values'的类型为<class 'str'>,我们无法转换为字典`
- 将 Python 字典映射到 Polars 系列
- PostgreSQL:获取 array1 值在 array2 中出现的次数
- 如何在php中运行node.js以及如何将抓取结果导入php
- 为什么在 Rust 结构中只允许最后一个字段具有动态大小的类型
- 在.ddev目录中找不到docker-compose.yaml文件
- 如何打开文件对话框?
- Hibernate 中的外键问题
- 如何将Spring Boot 3 httpRestClient错误response.body记录为可读字符串?
- Python 3 + OpenCV + Mediapipe。多目标跟踪
- 错误:“push”的指令后缀无效[重复]
- 如何检测窗口关闭?
- 如何创建具有多个参数和多个插入语句的存储过程?
- React Material UI 和 React hook 形成清晰按钮动态组件
© www.soinside.com 2019 - 2024. All rights reserved.