来自 Java 的 CloudFlare (Memberful) post 请求产生 403 错误
CloudFlare (Memberful) post requests from Java produce a 403 error
我正在尝试通过 Spring-Boot 应用程序使用 Memberful 对用户进行身份验证。根据Memberful documentation,流程如下:
- 用户登录会员 URL (
https://YOURSITE.memberful.com/oauth?client_id=APPLICATION_IDENTIFIER&response_type=code)
- 用户使用 Memberful 提供的 URL 中的代码重定向到我的前端 (Vue)。
- 代码被传递到我的后端服务器。
- 后端服务器使用
RestTemplate.postForObject(...) 从 Spring 向 https://YOURSITE.memberful.com/oauth/token 发送一个 post 请求,其中包含所有必需的参数(请参见下面的代码片段)。
此时需要访问令牌负载,但返回了 403 错误。
完整方法如下:
import org.springframework.http.*;
import org.springframework.util.MultiValueMap;
...
private JSONObject getMemberfulAccessToken(String strCode){
String strTargetURL = "https://" + memberfulSubDomain + ".memberful.com/oauth/token";
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
parameters.add("client_id", memberfulApplicationIdentifier);
parameters.add("client_secret", memberfulClientSecret);
parameters.add("grant_type", "authorization_code");
parameters.add("code", strCode);
HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(parameters, headers);
String strAccessToken = restTemplate.postForObject(strTargetURL, entity, String.class);
return new JSONObject(strAccessToken);
}
这是回复:
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | [My Site].memberful.com used Cloudflare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script><!--<![endif]-->
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
<div id="cf-error-details" class="cf-error-details-wrapper">
<div class="cf-wrapper cf-header cf-error-overview">
<h1>
<span class="cf-error-type" data-translate="error">Error</span>
<span class="cf-error-code">1010</span>
<small class="heading-ray-id">Ray ID: 515be6c26b80c514 • 2019-09-13 17:39:35 UTC</small>
</h1>
<h2 class="cf-subheadline">Access denied</h2>
</div><!-- /.header -->
<section></section><!-- spacer -->
<div class="cf-section cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<h2 data-translate="what_happened">What happened?</h2>
<p>The owner of this website ([My Site].memberful.com) has banned your access based on your browser's signature (515be6c26b80c514-ua21).</p>
</div>
</div>
</div><!-- /.section -->
<div class="cf-error-footer cf-wrapper">
<p>
<span class="cf-footer-item">Cloudflare Ray ID: <strong>515be6c26b80c514</strong></span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span>Your IP</span>: 207.200.220.146</span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span>Performance & security by</span> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="_blank">Cloudflare</a></span>
</p>
</div><!-- /.error-footer -->
</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->
<script type="text/javascript">
window._cf_translation = {};
</script>
</body>
</html>
修复:添加 JVM 选项 -Dhttp.agent="[Anything you want as the user agent prefix]"
问题: Cloudflare 的 Web 应用程序防火墙阻止 Memberful 接收带有 User-Agent header Java/1.8.0_172 的请求。
Cloudflare 的 documentation 表示如果您收到不是 Cloudflare 品牌的 403 响应,则返回响应的是客户端(在我的例子中是 Memberful 的)服务器。话虽如此,我不确定我收到的对 POST 请求的回复是否可以考虑 "Cloudflare branded",但在我写这篇文章时,Memberful 告诉我他们没有为他们的环境应用了任何自定义设置。
当然还有其他方法可以设置User-Agent header值,但我就是这样做的
此问题是由浏览器完整性检查引起的,即使 WAF 关闭,它也会 运行。使用页面规则或全局关闭浏览器完整性检查以避免此问题。
我正在尝试通过 Spring-Boot 应用程序使用 Memberful 对用户进行身份验证。根据Memberful documentation,流程如下:
- 用户登录会员 URL (
https://YOURSITE.memberful.com/oauth?client_id=APPLICATION_IDENTIFIER&response_type=code) - 用户使用 Memberful 提供的 URL 中的代码重定向到我的前端 (Vue)。
- 代码被传递到我的后端服务器。
- 后端服务器使用
RestTemplate.postForObject(...)从 Spring 向https://YOURSITE.memberful.com/oauth/token发送一个 post 请求,其中包含所有必需的参数(请参见下面的代码片段)。
此时需要访问令牌负载,但返回了 403 错误。
完整方法如下:
import org.springframework.http.*;
import org.springframework.util.MultiValueMap;
...
private JSONObject getMemberfulAccessToken(String strCode){
String strTargetURL = "https://" + memberfulSubDomain + ".memberful.com/oauth/token";
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
parameters.add("client_id", memberfulApplicationIdentifier);
parameters.add("client_secret", memberfulClientSecret);
parameters.add("grant_type", "authorization_code");
parameters.add("code", strCode);
HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(parameters, headers);
String strAccessToken = restTemplate.postForObject(strTargetURL, entity, String.class);
return new JSONObject(strAccessToken);
}
这是回复:
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | [My Site].memberful.com used Cloudflare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script><!--<![endif]-->
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
<div id="cf-error-details" class="cf-error-details-wrapper">
<div class="cf-wrapper cf-header cf-error-overview">
<h1>
<span class="cf-error-type" data-translate="error">Error</span>
<span class="cf-error-code">1010</span>
<small class="heading-ray-id">Ray ID: 515be6c26b80c514 • 2019-09-13 17:39:35 UTC</small>
</h1>
<h2 class="cf-subheadline">Access denied</h2>
</div><!-- /.header -->
<section></section><!-- spacer -->
<div class="cf-section cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<h2 data-translate="what_happened">What happened?</h2>
<p>The owner of this website ([My Site].memberful.com) has banned your access based on your browser's signature (515be6c26b80c514-ua21).</p>
</div>
</div>
</div><!-- /.section -->
<div class="cf-error-footer cf-wrapper">
<p>
<span class="cf-footer-item">Cloudflare Ray ID: <strong>515be6c26b80c514</strong></span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span>Your IP</span>: 207.200.220.146</span>
<span class="cf-footer-separator">•</span>
<span class="cf-footer-item"><span>Performance & security by</span> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="_blank">Cloudflare</a></span>
</p>
</div><!-- /.error-footer -->
</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->
<script type="text/javascript">
window._cf_translation = {};
</script>
</body>
</html>
修复:添加 JVM 选项 -Dhttp.agent="[Anything you want as the user agent prefix]"
问题: Cloudflare 的 Web 应用程序防火墙阻止 Memberful 接收带有 User-Agent header Java/1.8.0_172 的请求。
Cloudflare 的 documentation 表示如果您收到不是 Cloudflare 品牌的 403 响应,则返回响应的是客户端(在我的例子中是 Memberful 的)服务器。话虽如此,我不确定我收到的对 POST 请求的回复是否可以考虑 "Cloudflare branded",但在我写这篇文章时,Memberful 告诉我他们没有为他们的环境应用了任何自定义设置。
当然还有其他方法可以设置User-Agent header值,但我就是这样做的
此问题是由浏览器完整性检查引起的,即使 WAF 关闭,它也会 运行。使用页面规则或全局关闭浏览器完整性检查以避免此问题。