POST 的 403 禁止 SQL-Injection 错误 Content-Type = text/xml
403 Forbidden SQL-Injection Error for POST with Content-Type = text/xml
我需要使用 feign 发出 API 请求。方法类型:POST
; Headers 必须包括 Content-Type = text/xml
.
我的代码:
@Component
@ConfigurationProperties("client.machine")
class MachineProperties {
lateinit var url: String
lateinit var timeout: String
}
@Configuration
class MachineClientConfig(
private val connectionProperties: MachineProperties,
private val meterRegistry: MeterRegistry,
private val objectMapper: ObjectMapper
) {
@Bean
fun machineApi() = Feign.builder()
.addCapability(MicrometerCapability(meterRegistry))
.retryer(DefaultEtsmIntegratonRetryer())
.encoder(JacksonEncoder(objectMapper))
.decoder(JacksonDecoder(objectMapper))
.decode404()
.logger(Slf4jLogger(MachineApi::class.java))
.options(Request.Options(connectionProperties.timeout.toInt(), connectionProperties.timeout.toInt()))
.target(MachineApi::class.java, connectionProperties.url)!!
}
@Headers(
HttpHeaders.ACCEPT + ": " + MediaType.TEXT_XML_VALUE,
HttpHeaders.CONTENT_TYPE + ": " + MediaType.TEXT_XML_VALUE
)
interface MachineApi {
@RequestLine("POST /api/v1/charge")
fun sendRequest(body: String): MachineResponse
}
@Service
class MachineClient(private val machineApi: MachineApi) {
fun sendRequest(body: String, dealId: Long): MachineResponse {
return machineApi.sendRequest(body)
}
}
public class JacksonEncoder implements Encoder {
private final ObjectMapper mapper;
public JacksonEncoder() {
this(Collections.<Module>emptyList());
}
public JacksonEncoder(Iterable<Module> modules) {
this(new ObjectMapper()
.setSerializationInclusion(JsonInclude.Include.NON_NULL)
.configure(SerializationFeature.INDENT_OUTPUT, true)
.registerModules(modules));
}
public JacksonEncoder(ObjectMapper mapper) {
this.mapper = mapper;
}
@Override
public void encode(Object object, Type bodyType, RequestTemplate template) {
try {
JavaType javaType = mapper.getTypeFactory().constructType(bodyType);
template.body(mapper.writerFor(javaType).writeValueAsBytes(object), Util.UTF_8);
} catch (JsonProcessingException e) {
throw new EncodeException(e.getMessage(), e);
}
}
}
当我从 MachineClient class 调用 sendRequest 方法时,出现如下错误:
feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://dev.ed.com/tsm/v1/charge] [MachineApi#sendRequest(String)]: [{
"httpCode": "403",
"moreInformation": "SQL-Injection Error"
}]
但是当我尝试通过 curl 拨打电话时效果很好。
curl --location --request POST 'https://dev.ed.com/tsm/v1/charge' \
--header 'Content-Type: text/xml' \
--data-raw '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ChargeRq>...</ChargeRq>'
我的代码中缺少什么,为什么会出现错误?请帮忙,我没有更多的想法
解决方法如下:
由于 Content -Type = "text / xml" 是必需的,所以我需要使用 JAXBEncoder。在这种情况下,我需要发送的不是字符串,而是 ChargeRqType - 一个使用 jaxb 接收的对象。
@Component
@ConfigurationProperties("client.machine")
class MachineProperties {
lateinit var url: String
lateinit var timeout: String
}
@Configuration
class MachineClientConfig(
private val connectionProperties: MachineProperties,
private val meterRegistry: MeterRegistry,
private val jaxbContextFactory: JAXBContextFactory,
private val objectMapper: ObjectMapper
) {
@Bean
fun creditMachineApi() = Feign.builder()
.addCapability(MicrometerCapability(meterRegistry))
.retryer(DefaultEtsmIntegratonRetryer())
.encoder(JAXBEncoder(jaxbContextFactory))
.decoder(JacksonDecoder(objectMapper))
.logger(Slf4jLogger(MachineApi::class.java))
.options(Request.Options(connectionProperties.timeout.toInt(), connectionProperties.timeout.toInt()))
.target(MachineApi::class.java, connectionProperties.url)!!
}
@Headers(
HttpHeaders.ACCEPT + ": " + MediaType.TEXT_XML_VALUE,
HttpHeaders.CONTENT_TYPE + ": " + MediaType.TEXT_XML_VALUE
)
interface MachineApi {
@RequestLine("POST /tsm/v1/charge")
fun sendRequest(body: ChargeRqType): MachineResponse
}
@Service
class MachineClient(private val machineApi: MachineApi) {
fun sendRequest(body: ChargeRqType, dealId: Long) =
machineApi.sendRequest(body)
}
@Configuration
class JAXBConfig {
@Bean
fun jaxbContextFactory() = JAXBContextFactory.Builder()
.withMarshallerJAXBEncoding("UTF-8")
.withMarshallerSchemaLocation(ClassPathResource("xsd/SrvCreateApp03.xsd").path)
.build()
}
我需要使用 feign 发出 API 请求。方法类型:POST
; Headers 必须包括 Content-Type = text/xml
.
我的代码:
@Component
@ConfigurationProperties("client.machine")
class MachineProperties {
lateinit var url: String
lateinit var timeout: String
}
@Configuration
class MachineClientConfig(
private val connectionProperties: MachineProperties,
private val meterRegistry: MeterRegistry,
private val objectMapper: ObjectMapper
) {
@Bean
fun machineApi() = Feign.builder()
.addCapability(MicrometerCapability(meterRegistry))
.retryer(DefaultEtsmIntegratonRetryer())
.encoder(JacksonEncoder(objectMapper))
.decoder(JacksonDecoder(objectMapper))
.decode404()
.logger(Slf4jLogger(MachineApi::class.java))
.options(Request.Options(connectionProperties.timeout.toInt(), connectionProperties.timeout.toInt()))
.target(MachineApi::class.java, connectionProperties.url)!!
}
@Headers(
HttpHeaders.ACCEPT + ": " + MediaType.TEXT_XML_VALUE,
HttpHeaders.CONTENT_TYPE + ": " + MediaType.TEXT_XML_VALUE
)
interface MachineApi {
@RequestLine("POST /api/v1/charge")
fun sendRequest(body: String): MachineResponse
}
@Service
class MachineClient(private val machineApi: MachineApi) {
fun sendRequest(body: String, dealId: Long): MachineResponse {
return machineApi.sendRequest(body)
}
}
public class JacksonEncoder implements Encoder {
private final ObjectMapper mapper;
public JacksonEncoder() {
this(Collections.<Module>emptyList());
}
public JacksonEncoder(Iterable<Module> modules) {
this(new ObjectMapper()
.setSerializationInclusion(JsonInclude.Include.NON_NULL)
.configure(SerializationFeature.INDENT_OUTPUT, true)
.registerModules(modules));
}
public JacksonEncoder(ObjectMapper mapper) {
this.mapper = mapper;
}
@Override
public void encode(Object object, Type bodyType, RequestTemplate template) {
try {
JavaType javaType = mapper.getTypeFactory().constructType(bodyType);
template.body(mapper.writerFor(javaType).writeValueAsBytes(object), Util.UTF_8);
} catch (JsonProcessingException e) {
throw new EncodeException(e.getMessage(), e);
}
}
}
当我从 MachineClient class 调用 sendRequest 方法时,出现如下错误:
feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://dev.ed.com/tsm/v1/charge] [MachineApi#sendRequest(String)]: [{
"httpCode": "403",
"moreInformation": "SQL-Injection Error"
}]
但是当我尝试通过 curl 拨打电话时效果很好。
curl --location --request POST 'https://dev.ed.com/tsm/v1/charge' \
--header 'Content-Type: text/xml' \
--data-raw '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ChargeRq>...</ChargeRq>'
我的代码中缺少什么,为什么会出现错误?请帮忙,我没有更多的想法
解决方法如下:
由于 Content -Type = "text / xml" 是必需的,所以我需要使用 JAXBEncoder。在这种情况下,我需要发送的不是字符串,而是 ChargeRqType - 一个使用 jaxb 接收的对象。
@Component
@ConfigurationProperties("client.machine")
class MachineProperties {
lateinit var url: String
lateinit var timeout: String
}
@Configuration
class MachineClientConfig(
private val connectionProperties: MachineProperties,
private val meterRegistry: MeterRegistry,
private val jaxbContextFactory: JAXBContextFactory,
private val objectMapper: ObjectMapper
) {
@Bean
fun creditMachineApi() = Feign.builder()
.addCapability(MicrometerCapability(meterRegistry))
.retryer(DefaultEtsmIntegratonRetryer())
.encoder(JAXBEncoder(jaxbContextFactory))
.decoder(JacksonDecoder(objectMapper))
.logger(Slf4jLogger(MachineApi::class.java))
.options(Request.Options(connectionProperties.timeout.toInt(), connectionProperties.timeout.toInt()))
.target(MachineApi::class.java, connectionProperties.url)!!
}
@Headers(
HttpHeaders.ACCEPT + ": " + MediaType.TEXT_XML_VALUE,
HttpHeaders.CONTENT_TYPE + ": " + MediaType.TEXT_XML_VALUE
)
interface MachineApi {
@RequestLine("POST /tsm/v1/charge")
fun sendRequest(body: ChargeRqType): MachineResponse
}
@Service
class MachineClient(private val machineApi: MachineApi) {
fun sendRequest(body: ChargeRqType, dealId: Long) =
machineApi.sendRequest(body)
}
@Configuration
class JAXBConfig {
@Bean
fun jaxbContextFactory() = JAXBContextFactory.Builder()
.withMarshallerJAXBEncoding("UTF-8")
.withMarshallerSchemaLocation(ClassPathResource("xsd/SrvCreateApp03.xsd").path)
.build()
}