我应该向 Unirest Api 添加什么 headers 让我的服务器接受我的请求?
What are the headers that I should add to Unirest Api to let my server accept my request?
我有一个 ssl secured Rest Spring Boot API 工作正常
我的服务器安全配置class如下
@Override
protected void configure(HttpSecurity http) throws Exception {
// .csrf().disable()
http
.exceptionHandling()
.authenticationEntryPoint(new Http401AuthenticationEntryPoint("App header"))
.and()
.authenticationProvider(getProvider())
.formLogin()
.loginProcessingUrl("/logins/login")
.successHandler(new SimpleUrlAuthenticationSuccessHandler())
.failureHandler(new SimpleUrlAuthenticationFailureHandler())
.and().httpBasic();
http.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new AuthentificationLogoutSuccessHandler())
.invalidateHttpSession(true)
.and().httpBasic();
http.authorizeRequests()
.antMatchers("/docs").hasAnyRole(Role.USER.name(), Role.ADMIN.toString())
.antMatchers("/logins/login").permitAll()
.antMatchers("/logout").permitAll()
.anyRequest().authenticated().and()
.requestCache()
.requestCache(new NullRequestCache())
.and().httpBasic();
System.out.println(" 1 : " + Role.USER.name() + " --- " + Role.USER.toString());
}
当登录到我的 api 时,我收到此 header 作为响应:
[ X-Frame-Options=[DENY],
Transfer-Encoding=[chunked],
Strict-Transport-Security=[max-age=31536000 ; includeSubDomains],
Cache-Control=[private],
X-Content-Type-Options=[nosniff],
Set-Cookie=[JSESSIONID=615FD3642011AE7558D598255D10C85E; Path=/; Secure; HttpOnly],
Expires=[Thu, 01 Jan 1970 01:00:00 CET],
X-XSS-Protection=[1; mode=block],
Date=[Wed, 25 Apr 2018 21:35:16 GMT],
Content-Type=[application/json;charset=UTF-8]]
正如我到目前为止所读到的,将 cookie 添加到我的下一个请求 header 是强制使用我的 JSESSIONID 以允许服务器识别我的 session。
但是通过以下方式在 unirest 上尝试这个:
设置我的 httpClient 来管理 cookies
HttpClient httpClient = HttpClients.custom()
.disableCookieManagement()
.build();
Unirest.setHttpClient(httpClient);
将 header 添加到我的 Unirest api
Predicate<? super Map.Entry<String, List<String>>> prdct = (key) ->{
return key.getKey().equals("Set-Cookie");
};
final String jSessionID = asJson.getHeaders().entrySet().stream().filter(prdct).findFirst().get().getValue().get(0);
System.out.println("jsession id "+jSessionID.split(";")[0]);
Unirest.setDefaultHeader("Cookie", jSessionID.split(";")[0]);
Unirest.setDefaultHeader("authorization", "Basic " + value);
Unirest.setDefaultHeader("Content-Type", "application/json");
但即便如此,我的服务器仍然拒绝服务显示在我下一个请求的答案的开头:
{"timestamp":"2018-04-25T21:35:32.659+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/user/1"}
我该怎么办?
csrf 处于活动状态是问题当我通过取消注释服务器配置来停用 CSRF 时,这工作正常所以我搜索了一个演示应用程序,csrf 保持活动状态,我发现 this
我有一个 ssl secured Rest Spring Boot API 工作正常
我的服务器安全配置class如下
@Override
protected void configure(HttpSecurity http) throws Exception {
// .csrf().disable()
http
.exceptionHandling()
.authenticationEntryPoint(new Http401AuthenticationEntryPoint("App header"))
.and()
.authenticationProvider(getProvider())
.formLogin()
.loginProcessingUrl("/logins/login")
.successHandler(new SimpleUrlAuthenticationSuccessHandler())
.failureHandler(new SimpleUrlAuthenticationFailureHandler())
.and().httpBasic();
http.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(new AuthentificationLogoutSuccessHandler())
.invalidateHttpSession(true)
.and().httpBasic();
http.authorizeRequests()
.antMatchers("/docs").hasAnyRole(Role.USER.name(), Role.ADMIN.toString())
.antMatchers("/logins/login").permitAll()
.antMatchers("/logout").permitAll()
.anyRequest().authenticated().and()
.requestCache()
.requestCache(new NullRequestCache())
.and().httpBasic();
System.out.println(" 1 : " + Role.USER.name() + " --- " + Role.USER.toString());
}
当登录到我的 api 时,我收到此 header 作为响应:
[ X-Frame-Options=[DENY],
Transfer-Encoding=[chunked],
Strict-Transport-Security=[max-age=31536000 ; includeSubDomains],
Cache-Control=[private],
X-Content-Type-Options=[nosniff],
Set-Cookie=[JSESSIONID=615FD3642011AE7558D598255D10C85E; Path=/; Secure; HttpOnly],
Expires=[Thu, 01 Jan 1970 01:00:00 CET],
X-XSS-Protection=[1; mode=block],
Date=[Wed, 25 Apr 2018 21:35:16 GMT],
Content-Type=[application/json;charset=UTF-8]]
正如我到目前为止所读到的,将 cookie 添加到我的下一个请求 header 是强制使用我的 JSESSIONID 以允许服务器识别我的 session。 但是通过以下方式在 unirest 上尝试这个:
设置我的 httpClient 来管理 cookies
HttpClient httpClient = HttpClients.custom() .disableCookieManagement() .build(); Unirest.setHttpClient(httpClient);将 header 添加到我的 Unirest api
Predicate<? super Map.Entry<String, List<String>>> prdct = (key) ->{ return key.getKey().equals("Set-Cookie"); }; final String jSessionID = asJson.getHeaders().entrySet().stream().filter(prdct).findFirst().get().getValue().get(0); System.out.println("jsession id "+jSessionID.split(";")[0]); Unirest.setDefaultHeader("Cookie", jSessionID.split(";")[0]); Unirest.setDefaultHeader("authorization", "Basic " + value); Unirest.setDefaultHeader("Content-Type", "application/json");
但即便如此,我的服务器仍然拒绝服务显示在我下一个请求的答案的开头:
{"timestamp":"2018-04-25T21:35:32.659+0000","status":403,"error":"Forbidden","message":"Forbidden","path":"/user/1"}
我该怎么办?
csrf 处于活动状态是问题当我通过取消注释服务器配置来停用 CSRF 时,这工作正常所以我搜索了一个演示应用程序,csrf 保持活动状态,我发现 this