我正在尝试配置我的Spring Boot Security (with Kotlin),我有一个不需要身份验证的特定请求映射。只要我的端点的响应是200,下面的配置就可以正常工作。
但是,如果在代码中抛出任何异常,它总是返回没有消息的403。例如,如果抛出状态码为400的ResponseStatusException,它仍然返回403。或者,例如,如果一个请求参数丢失,它返回403。下面是我的配置:
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain? {
http.authorizeHttpRequests().requestMatchers("/v1/resource/*").permitAll()
return http.build()
}
}
我已经尝试禁用http.exceptionHandling().disable()的异常处理,我可以看到正确的状态代码和错误信息。但是,问题是它作为HTML返回。
我做错了什么?查看下面的日志:
2023-04-28T16:15:19.858-04:00 DEBUG 145941 --- [o-auto-1-exec-1] .m.m.a.ExceptionHandlerExceptionResolver : Using @ExceptionHandler test.exception.handler.RestResponseEntityExceptionHandler#handleUnhandledException(Exception, WebRequest)
2023-04-28T16:15:19.862-04:00 DEBUG 145941 --- [o-auto-1-exec-1] .w.s.m.a.ResponseStatusExceptionResolver : Resolved [test.exception.NotFoundException: Test error]
2023-04-28T16:15:19.863-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.web.servlet.DispatcherServlet : Completed 404 NOT_FOUND
2023-04-28T16:15:19.864-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.a.c.c.C.[Tomcat].[localhost] : Processing ErrorPage[errorCode=0, location=/error]
2023-04-28T16:15:19.868-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy : Securing GET /error
2023-04-28T16:15:19.869-04:00 DEBUG 145941 --- [o-auto-1-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2023-04-28T16:15:19.870-04:00 DEBUG 145941 --- [o-auto-1-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2023-04-28T16:15:19.873-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2023-04-28T16:15:19.874-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
2023-04-28T16:15:19.874-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Disabling the response for further output
2023-04-28T16:15:19.876-04:00 DEBUG 145941 --- [ main] org.apache.http.wire : << "HTTP/1.1 403 [r][n]"
最后,我无法通过Spring Security配置修复它。我所做的是编写自己的自定义异常处理程序:
@ControllerAdvice
@RestController
class CustomExceptionHandlerResolver {
@ExceptionHandler(ResponseStatusException::class)
fun handleResponseStatusException(
exception: ResponseStatusException,
webRequest: WebRequest,
): ResponseEntity<ExceptionResponse>? {
val exceptionResponse = ExceptionResponse(Date(), exception.reason, webRequest.getDescription(false))
return ResponseEntity<ExceptionResponse>(exceptionResponse, exception.statusCode)
}
@ExceptionHandler(MissingServletRequestParameterException::class)
fun handleRequestParameterException(
exception: MissingServletRequestParameterException,
webRequest: WebRequest,
): ResponseEntity<ExceptionResponse>? {
val exceptionResponse = ExceptionResponse(Date(), exception.message, webRequest.getDescription(false))
return ResponseEntity<ExceptionResponse>(exceptionResponse, HttpStatus.BAD_REQUEST)
}
}
ExceptionResponse只是一个数据类(POJO):
data class ExceptionResponse(
val date: Date,
val message: String?,
val description: String,
)