ResponseStatusException 永远不会返回给用户
ResponseStatusException is never returned back to user
我有一个 Spring Boot Rest API,它在允许请求通过所请求的方法之前进行一些验证过滤。当它到达请求的端点时,我对发送到服务器的数据进行一些验证,如果数据格式不正确,我想 return BAD REQUEST 响应。然而,尝试抛出 Springs ResponseStatusException 不起作用,相反它总是 returns 403 Forbidden,我不知道为什么。
@Configuration
@EnableWebSecurity
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
JWTUtility jwtUtility;
@Autowired
UserRepository repository;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtility, repository))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.POST, "/users");
}
}
.
@RestController
@RequestMapping("/users")
@Slf4j
public class UserController {
private final UserRepository repository;
private final Pbkdf2PasswordEncoder passwordEncoder;
UserController(UserRepository repository, Pbkdf2PasswordEncoder passwordEncoder, JWTUtility jwtUtility) {
this.repository = repository;
this.passwordEncoder = passwordEncoder;
this.jwtUtility = jwtUtility;
}
@PostMapping
User create(@RequestBody User user) {
if (user.getFirstName() == null || user.getFirstName().isEmpty()
|| user.getLastName() == null || user.getLastName().isEmpty()
|| user.getEmail() == null || user.getEmail().isEmpty()
|| user.getDisplayName() == null || user.getDisplayName().isEmpty()
|| user.getPassword() == null || user.getPassword().isEmpty()) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "First name, last name, email, display name, and password must be provided when creating a new user.");
}
if (repository.findByEmail(user.getEmail()) != null) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "A user with that email already exists");
}
if (repository.findByDisplayName(user.getDisplayName()) != null) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "A user with that display name already exists");
}
user.setId(0);
user.setPassword(passwordEncoder.encode(user.getPassword()));
repository.save(user);
return user;
}
}
我希望错误的请求能够根据我提供的描述返回给用户。 Spring 是在某处截取这个吗?我该如何阻止它。
原来这是安全配置的问题,而我在 Web 安全配置中忽略了 /users 端点,允许请求通过该方法,显然在该方法中抛出异常导致http安全介入拦截。
因此,将我的 http 安全性更改为如下所示,
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/users").permitAll()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtility, repository))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
问题已解决。奇怪的是它的行为是这样的,因为如果请求成功并且我不需要抛出异常,用户对象 returns 就好了。看来抛出异常导致它不仅要注意web安全还要注意http安全
我有一个 Spring Boot Rest API,它在允许请求通过所请求的方法之前进行一些验证过滤。当它到达请求的端点时,我对发送到服务器的数据进行一些验证,如果数据格式不正确,我想 return BAD REQUEST 响应。然而,尝试抛出 Springs ResponseStatusException 不起作用,相反它总是 returns 403 Forbidden,我不知道为什么。
@Configuration
@EnableWebSecurity
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
JWTUtility jwtUtility;
@Autowired
UserRepository repository;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtility, repository))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(HttpMethod.POST, "/users");
}
}
.
@RestController
@RequestMapping("/users")
@Slf4j
public class UserController {
private final UserRepository repository;
private final Pbkdf2PasswordEncoder passwordEncoder;
UserController(UserRepository repository, Pbkdf2PasswordEncoder passwordEncoder, JWTUtility jwtUtility) {
this.repository = repository;
this.passwordEncoder = passwordEncoder;
this.jwtUtility = jwtUtility;
}
@PostMapping
User create(@RequestBody User user) {
if (user.getFirstName() == null || user.getFirstName().isEmpty()
|| user.getLastName() == null || user.getLastName().isEmpty()
|| user.getEmail() == null || user.getEmail().isEmpty()
|| user.getDisplayName() == null || user.getDisplayName().isEmpty()
|| user.getPassword() == null || user.getPassword().isEmpty()) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "First name, last name, email, display name, and password must be provided when creating a new user.");
}
if (repository.findByEmail(user.getEmail()) != null) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "A user with that email already exists");
}
if (repository.findByDisplayName(user.getDisplayName()) != null) {
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "A user with that display name already exists");
}
user.setId(0);
user.setPassword(passwordEncoder.encode(user.getPassword()));
repository.save(user);
return user;
}
}
我希望错误的请求能够根据我提供的描述返回给用户。 Spring 是在某处截取这个吗?我该如何阻止它。
原来这是安全配置的问题,而我在 Web 安全配置中忽略了 /users 端点,允许请求通过该方法,显然在该方法中抛出异常导致http安全介入拦截。
因此,将我的 http 安全性更改为如下所示,
http
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, "/users").permitAll()
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtility, repository))
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
问题已解决。奇怪的是它的行为是这样的,因为如果请求成功并且我不需要抛出异常,用户对象 returns 就好了。看来抛出异常导致它不仅要注意web安全还要注意http安全