spring引导头请求返回403

sqyvllje  于 2021-07-14  发布在  Java
关注(0)|答案(1)|浏览(442)

我有一个springboot项目,我在其中使用springsecurity。我有几个端点可以通过 HEAD http方法。但是,当我访问它们时,我遇到了403问题。我试过在CloudFoundry上部署这个应用程序。
我为springsecurity启用了调试日志,并在app部署中注意到以下内容

For security constraints with URL pattern [/*] only the HTTP methods [HEAD OPTIONS] are covered. All other methods are uncovered.

这就是403错误的原因吗?我还尝试创建一个自定义过滤器,将响应返回为200ok,并将过滤器设置为最高优先级,而将Spring Security 过滤器设置为最低优先级。然而,403错误。
Spring配置-

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("api/v1/**").authenticated()
                .antMatchers("actuator/**").hasAuthority("Internal")
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer()
                .bearerTokenResolver(new ...)
                .jwt()
                .jwtAuthenticationConverter(getJwtAuthenticationConverter());

        http.headers().frameOptions().disable();

    }

根本没有 web.xml 在项目中。
编辑
添加更多信息。
头部端点详细信息

@RestController
@RequestMapping("/api/v2")
public class GenericController {

    private static final Logger oLogger = LoggerFactory.getLogger(GenericController.class);

    @RequestMapping(value="head", method = RequestMethod.HEAD)
    public String getHead() {
        oLogger.debug("HEAD call");
        return "OK";
    }
}

添加有关spring安全配置的相关信息

@Profile("cloud")
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().mvcMatchers("actuator/health", "actuator/health/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("api/v2/**").authenticated()
                .antMatchers("actuator/**").hasAuthority("Internal")
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer()
                .bearerTokenResolver(new ...(...))
                .jwt()
                .jwtAuthenticationConverter(getJwtAuthenticationConverter());

        http.headers().frameOptions().disable();
    }
}

我已经在整个应用程序级别启用了调试日志级别。我和执行机构也进行了交叉验证,结果如下。

在此之后,我尝试调用端点,收到的日志如下-

2021-04-22T11: 27: 56.52+0530 [RTR/0
] OUT runtime......com - [
    2021-04-22T05: 57: 56.514492433Z
] "HEAD /api/v2/head HTTP/1.1" 403 0 0 "-" "PostmanRuntime/7.26.10" "-" "10.0.137.10:61266" x_forwarded_for: "-" x_forwarded_proto: "https" vcap_request_id: "dbe3fb9c-137c-43ac-7e1c-83676999c500" response_time: 0.013301 gorouter_time: 0.000090 app_id: "c40362dd-c3f0-4761-a4c4-4a0e2fd99796" app_index: "0" x_cf_routererror: "-" x_correlationid: "-" tenantid: "-" sap_passport: "-" x_scp_request_id: "bb61bf42-9a83-4b45-b9ae-07ef8db69fe6-60811063-2BE5AA" x_cf_app_instance: "-" x_forwarded_host: "-" x_custom_host: "-" x_b3_traceid: "323746048bfbc90d" x_b3_spanid: "323746048bfbc90d" x_b3_parentspanid: "-" b3: "323746048bfbc90d-323746048bfbc90d"
   2021-04-22T11: 27: 56.52+0530 [RTR/0
] OUT


项目中没有web.xml,但在应用程序启动时,我收到了上面关于[head and options]请求的警告(粘贴在上面)。
编辑2
因此,我在整个应用程序中重新启用了调试模式,并尝试使用 HEAD 以及 GET http方法-显示日志中的对比度。以下是我通过 cf logs <<APP_NAME>> .
注意-一些敏感的url/用户信息已从日志中删除。 GET 呼叫 /api/v2/head 退货 405 Method Not allowed ,这是预期的。以下是cf日志-

2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.034 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/v2/head'; against '/cloudfoundryapplication/**'
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.037  INFO 7 --- [0.0-8080-exec-4] Spring Security Debugger                 :
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT************************************************************
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT Request received for GET '/api/v2/head':
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT org.apache.catalina.connector.RequestFacade@7ac950f3
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT servletPath:/api/v2/head
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT pathInfo:null
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT headers:
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT host: <<APP_URL>>
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT user-agent: PostmanRuntime/7.26.10
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT accept: */*
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT accept-encoding: gzip, deflate, br
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT authorization: Bearer ....
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT b3: a1a81b1681479e0d-a1a81b1681479e0d
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT cache-control: no-cache
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT postman-token: d1d3f9ed-e3d1-4bb2-86fb-772f4dc2613b
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-b3-spanid: a1a81b1681479e0d
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-b3-traceid: a1a81b1681479e0d
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-cf-applicationid: c40362dd-c3f0-4761-a4c4-4a0e2fd99796
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-cf-instanceid: 067e01f5-c736-4804-7d20-b847
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-cf-instanceindex: 0
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-vcap-request-id: e33cdf0a-9e1a-4d95-7169-6c24a3413357
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-forwarded-proto: https
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-request-start: 1619154128021
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-scp-request-id: cab4a4ec-7f3b-47ca-ada6-7236a02aeb16-608254CF-1018CBB
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT Security filter chain: [
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   WebAsyncManagerIntegrationFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   SecurityContextPersistenceFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   HeaderWriterFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   CsrfFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   LogoutFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   BearerTokenAuthenticationFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   RequestCacheAwareFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   SecurityContextHolderAwareRequestFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   AnonymousAuthenticationFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   SessionManagementFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   ExceptionTranslationFilter
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT   FilterSecurityInterceptor
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT ]
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT************************************************************
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.037 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/v2/head'; against '/cloudfoundryapplication/**'
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.util.matcher.AndRequestMatcher   : Trying to match using org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher@17df04b2
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.util.matcher.AndRequestMatcher   : Did not match
   2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
   2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /api/v2/head' doesn't match 'POST /logout'
   2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 6 of 12 in additional filter chain; firing Filter: 'BearerTokenAuthenticationFilter'
   2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.040 DEBUG 7 --- [0.0-8080-exec-4] c.s.c.s.xsuaa.extractor.TokenUtil        : System environment variable I.... is set to null
   2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.040 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider
   2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.040 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate              : HTTP GET https://..../token_keys
   2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.041 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate              : Accept=[text/plain, application/json, application/*+json, */*]
   2021-04-23T10:32:08.07+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.079 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate              : Response 200 OK
   2021-04-23T10:32:08.07+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.079 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate              : Reading to [java.lang.String] as "application/json"
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter  : SecurityContextHolder not populated with anonymous token, as it already contained: ....AuthenticationToken@5b1cc3d9: Principal: user/user@xyz.com; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 169.145.206.236; SessionId: null; Granted Authorities: ...'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@6e3a74b5
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@3f28b2df
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/v2/head'; against 'api/v2/**'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/v2/head'; against 'actuator/**'
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /api/v2/head; Attributes: [authenticated]
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: ....; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 169.145.206.236; SessionId: null; Granted Authorities: ...
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@12459b37, returned: 1
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorization successful
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor    : RunAsManager did not change Authentication object
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy        : /api/v2/head reached end of additional filter chain; proceeding with original chain
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet        : GET "/api/v2/head", parameters={}
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082  WARN 7 --- [0.0-8080-exec-4] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported]
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet        : Completed 405 METHOD_NOT_ALLOWED
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.ExceptionTranslationFilter     : Chain processed normally
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet        : "FORWARD" dispatch for GET "/error", parameters={}
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] o.j.s.OpenEntityManagerInViewInterceptor : Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] o.s.w.s.m.m.a.HttpEntityMethodProcessor  : Writing [{timestamp=Fri Apr 23 05:02:08 UTC 2021, status=405, error=Method Not Allowed, message=, path=/api/v (truncated)...]
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.084 DEBUG 7 --- [0.0-8080-exec-4] o.j.s.OpenEntityManagerInViewInterceptor : Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
   2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.084 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet        : Exiting from "FORWARD" dispatch, status 405
   2021-04-23T10:32:08.08+0530 [RTR/9] OUT <<APP_URL>> - [2021-04-23T05:02:08.021406510Z] "GET /api/v2/head HTTP/1.1" 405 0 136 "-" "PostmanRuntime/7.26.10" "-" "10.0.138.38:61258" x_forwarded_for:"-" x_forwarded_proto:"https" vcap_request_id:"e33cdf0a-9e1a-4d95-7169-6c24a3413357" response_time:0.064141 gorouter_time:0.000084 app_id:"c40362dd-c3f0-4761-a4c4-4a0e2fd99796" app_index:"0" x_cf_routererror:"-" x_correlationid:"-" tenantid:"-" ...:"-" x_scp_request_id:"cab4a4ec-7f3b-47ca-ada6-7236a02aeb16-608254CF-1018CBB" x_cf_app_instance:"-" x_forwarded_host:"-" x_custom_host:"-" x_b3_traceid:"a1a81b1681479e0d" x_b3_spanid:"a1a81b1681479e0d" x_b3_parentspanid:"-" b3:"a1a81b1681479e0d-a1a81b1681479e0d"

在这之后,我尝试了相同的api端点 HEAD http方法。它返回403,但是缺少spring安全日志。这就好像api甚至在到达目标之前就被过滤掉了 DispatcherServlet 在Spring容器中。我收到的唯一日志如下-

2021-04-23T10: 59: 30.06+0530 [RTR/10
    ] OUT <<APP_URL>> - [
        2021-04-23T05: 29: 30.016853591Z
    ] "HEAD /api/v2/head HTTP/1.1" 403 0 0 "-" "PostmanRuntime/7.26.10" "-" "10.0.138.38:61258" x_forwarded_for: "-" x_forwarded_proto: "https" vcap_request_id: "f68ece10-c7e5-4d25-46a8-87ab1111448c" response_time: 0.045167 gorouter_time: 0.000078 app_id: "c40362dd-c3f0-4761-a4c4-4a0e2fd99796" app_index: "0" x_cf_routererror: "-" x_correlationid: "-" tenantid: "-" ..: "-" x_scp_request_id: "a729ee4e-7440-4beb-85ac-fdd6bd05e7ba-60825B39-BF580A" x_cf_app_instance: "-" x_forwarded_host: "-" x_custom_host: "-" x_b3_traceid: "c8c055af860ea548" x_b3_spanid: "c8c055af860ea548" x_b3_parentspanid: "-" b3: "c8c055af860ea548-c8c055af860ea548"
   2021-04-23T10: 59: 30.06+0530 [RTR/10
    ] OUT
qnzebej0

qnzebej01#

你需要绕过安全过滤器,否则你的应用程序仍将尝试对其进行身份验证。
尝试添加:

.antMatchers(HttpMethod.HEAD, "/**").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()

之前

.antMatchers("api/v1/**").authenticated()

相关问题