请求中的多个连续斜杠导致 Tomcat 10 和 Spring 6 出现 400 bad request 错误

问题描述 投票:0回答:1

我正在将旧项目升级到 Spring 6 和 Tomcat 10。在这种情况下,正常请求可以顺利通过。但这样的要求:

http://localhost:9090/proactive-api/rest/order/fetchOrderLists/gokul//orderListing/////////All/50/0/true

抛出cors错误400错误请求。正常请求是这样的:

http://localhost:9090/proactive-api/rest/ObpartnerInfo/gokul/gokul1

这些请求之间的唯一区别是多个连续的斜杠。
这些请求在 Tomcat 8 和 Spring 5 上运行良好。

这是我在 Spring 6 中的安全配置。

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfiguration {

    @Bean
    public static SecurityConfig securityConfig() {
        return new SecurityConfig();
    }

    private static final Logger LOG = LogManager.getLogger(SecurityConfig.class.getName());

    @Bean
    public SecurityFilterChain apiFilterChain(HttpSecurity http,
            AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter,
            OBOpenIdConnectFilter oBOpenIdConnectFilter, UnauthorizedEntryPoint unauthorizedEntryPoint)
            throws Exception {
        http.authorizeHttpRequests(authorize -> {
            try {
                authorize.requestMatchers("/openid-login").permitAll().requestMatchers("/rest/**").permitAll()
                        .anyRequest().authenticated();
            } catch (Exception e) {
                LOG.error(e);
                e.printStackTrace();
            }
        }).cors(cors -> cors.configurationSource(this::apiConfigurationSource)).csrf(csrf -> csrf.disable())
                .addFilterBefore(authenticationTokenProcessingFilter, UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(oBOpenIdConnectFilter, UsernamePasswordAuthenticationFilter.class)
                .exceptionHandling(
                        exceptionHandling -> exceptionHandling.authenticationEntryPoint(unauthorizedEntryPoint));
        return http.build();
    }

    @Bean
    public AuthenticationManager authenticationManager(UserDetailsService mongoDBConnection,
            PasswordEncoder passwordEncoder) {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        authenticationProvider.setUserDetailsService(mongoDBConnection);
        authenticationProvider.setPasswordEncoder(passwordEncoder);

        return new ProviderManager(authenticationProvider);
    }

    CorsConfiguration apiConfigurationSource(HttpServletRequest request) {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList(request.getHeader("origin")));
        configuration.setExposedHeaders(Arrays.asList("sdpauth, sdprefreshtoken"));
        configuration.setAllowedHeaders(Arrays.asList("*", "Content-Type", "Pragma", "Origin", "Authorization", "party",
                "X-XSRF-TOKEN", "X-Requested-With", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers",
                "Accept", "Access-Control-Allow-Credentials", "X-Auth-Token", "version", "cache"));
        configuration.setAllowCredentials(true);
        configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT", "DELETE", "OPTIONS", "HEAD"));
        return configuration;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public AuthenticationTokenProcessingFilter authenticationTokenProcessingFilter(UserDetailsService userService) {
        return new AuthenticationTokenProcessingFilter(userService);
    }
}

我不知道我到底需要做什么改变。在 CORS 配置中,其他正常请求工作正常。

spring spring-security cors get-request tomcat10
1个回答
0
投票

我知道您可能也在研究这个问题,但我想强调的是,理想的做法是更正 URL,使其中不包含双斜杠。

但是,您可以同时配置 

HttpFirewall
以允许该模式,如下所示:

@Bean
HttpFirewall httpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.getDecodedUrlBlocklist().remove("//");
    return firewall;
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.