请求安全页面时 RestTemplate 不会因 403 或 302 错误而失败
RestTemplate not failing with 403 or 302 error when requesting secured pages
我有使用 spring-security 4.0.1 和 spring mvc 4.1.6 的网络应用程序。
它具有以下 spring 视图页面“/admin”和数据 API“/admin/api/properties”的安全配置:
<http pattern="/admin.*" request-matcher="regex" auto-config="false">
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
<intercept-url pattern="/admin/api/.+" access="hasRole('ADMIN')"/>
<logout logout-url="/admin/logout" success-handler-ref="customLogoutSuccessHandler"/>
<form-login login-page="/admin/login" login-processing-url="/admin/login"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-handler-ref="customFailureHandler"/>
<csrf disabled="true" />
</http>
这工作正常。但现在我正在尝试通过使用不同凭据的休息模板向“/admin”和“/admin/api/properties”发送请求来测试安全性。
private HttpStatus fetchAccessStatusForPage(String username, String password, String requestUrl) {
HttpHeaders headers = new HttpHeaders();
String token = username + ":" + password;
String authorizationValue = "Base " + new String(Base64.encode(token.getBytes()));
headers.add("Authorization", authorizationValue);
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Object> httpEntity = new HttpEntity<>(headers);
HttpStatus resultCode;
try {
ResponseEntity<Object> responseEntity = restTemplate.exchange(requestUrl, HttpMethod.GET, httpEntity, Object.class);
resultCode = responseEntity.getStatusCode();
} catch (HttpClientErrorException e) {
resultCode = e.getStatusCode();
}
return resultCode;
但它总是给我 200 OK 状态代码,无论我提供什么凭据,也无论我正在测试什么 api。
我还尝试了以下操作(没有任何凭据),出于某种原因,响应代码也是 200 OK。
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Object> httpEntity = new HttpEntity<>(headers);
ResponseEntity<String> responseEntity = restTemplate.exchange(adminPageUrl, HttpMethod.GET, httpEntity, String.class);
我错过了什么吗?为什么 rest 模板不会因 403 错误或至少 302 位置在 header 中而失败?
也试了下面的方法,结果一样
URL u = new URL(getPageUrl(page));
HttpURLConnection huc = (HttpURLConnection) u.openConnection();
String token = username + ":" + password;
String authorizationValue = "Base " + new String(Base64.encode(token.getBytes()));
huc.setRequestProperty("Authorization", authorizationValue);
huc.setRequestMethod("GET");
huc.connect();
return huc.getResponseCode()
您可以通过创建类似这样的东西来防止 RestTemplate 隐藏重定向:
RestTemplate restTemplate = new RestTemplate(new SimpleClientHttpRequestFactory() {
@Override
protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException
{
super.prepareConnection(connection, httpMethod);
connection.setInstanceFollowRedirects(false);
}
});
更新: 为 API 设置单独的 HTTP 链通常是个好主意,例如:
<http pattern="/admin/api/.+" request-matcher="regex" create-session="stateless">
<intercept-url pattern="/admin/api/.+" access="hasRole('ADMIN')"/>
<http-basic/>
<csrf disabled="true" />
</http>
<http pattern="/admin.*" request-matcher="regex">
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
<logout logout-url="/admin/logout" success-handler-ref="customLogoutSuccessHandler"/>
<form-login login-page="/admin/login" login-processing-url="/admin/login"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-handler-ref="customFailureHandler"/>
</http>
我有使用 spring-security 4.0.1 和 spring mvc 4.1.6 的网络应用程序。 它具有以下 spring 视图页面“/admin”和数据 API“/admin/api/properties”的安全配置:
<http pattern="/admin.*" request-matcher="regex" auto-config="false">
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
<intercept-url pattern="/admin/api/.+" access="hasRole('ADMIN')"/>
<logout logout-url="/admin/logout" success-handler-ref="customLogoutSuccessHandler"/>
<form-login login-page="/admin/login" login-processing-url="/admin/login"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-handler-ref="customFailureHandler"/>
<csrf disabled="true" />
</http>
这工作正常。但现在我正在尝试通过使用不同凭据的休息模板向“/admin”和“/admin/api/properties”发送请求来测试安全性。
private HttpStatus fetchAccessStatusForPage(String username, String password, String requestUrl) {
HttpHeaders headers = new HttpHeaders();
String token = username + ":" + password;
String authorizationValue = "Base " + new String(Base64.encode(token.getBytes()));
headers.add("Authorization", authorizationValue);
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Object> httpEntity = new HttpEntity<>(headers);
HttpStatus resultCode;
try {
ResponseEntity<Object> responseEntity = restTemplate.exchange(requestUrl, HttpMethod.GET, httpEntity, Object.class);
resultCode = responseEntity.getStatusCode();
} catch (HttpClientErrorException e) {
resultCode = e.getStatusCode();
}
return resultCode;
但它总是给我 200 OK 状态代码,无论我提供什么凭据,也无论我正在测试什么 api。 我还尝试了以下操作(没有任何凭据),出于某种原因,响应代码也是 200 OK。
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<Object> httpEntity = new HttpEntity<>(headers);
ResponseEntity<String> responseEntity = restTemplate.exchange(adminPageUrl, HttpMethod.GET, httpEntity, String.class);
我错过了什么吗?为什么 rest 模板不会因 403 错误或至少 302 位置在 header 中而失败?
也试了下面的方法,结果一样
URL u = new URL(getPageUrl(page));
HttpURLConnection huc = (HttpURLConnection) u.openConnection();
String token = username + ":" + password;
String authorizationValue = "Base " + new String(Base64.encode(token.getBytes()));
huc.setRequestProperty("Authorization", authorizationValue);
huc.setRequestMethod("GET");
huc.connect();
return huc.getResponseCode()
您可以通过创建类似这样的东西来防止 RestTemplate 隐藏重定向:
RestTemplate restTemplate = new RestTemplate(new SimpleClientHttpRequestFactory() {
@Override
protected void prepareConnection(HttpURLConnection connection, String httpMethod) throws IOException
{
super.prepareConnection(connection, httpMethod);
connection.setInstanceFollowRedirects(false);
}
});
更新: 为 API 设置单独的 HTTP 链通常是个好主意,例如:
<http pattern="/admin/api/.+" request-matcher="regex" create-session="stateless">
<intercept-url pattern="/admin/api/.+" access="hasRole('ADMIN')"/>
<http-basic/>
<csrf disabled="true" />
</http>
<http pattern="/admin.*" request-matcher="regex">
<intercept-url pattern="/admin" access="hasRole('ADMIN')"/>
<logout logout-url="/admin/logout" success-handler-ref="customLogoutSuccessHandler"/>
<form-login login-page="/admin/login" login-processing-url="/admin/login"
authentication-success-handler-ref="customSuccessHandler"
authentication-failure-handler-ref="customFailureHandler"/>
</http>