java 所有异常都将在公共终结点上转换为HTTP 401

rryofs0p  于 2022-12-25  发布在  Java
关注(0)|答案(1)|浏览(133)

我在Spring Boot Starter Security V3.0.0上有问题
对于此配置:

@Bean
    public SecurityFilterChain filterChain( final HttpSecurity http ) throws Exception {
        http
                .cors().and().csrf().disable()
                .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS )
                .and()
                .anonymous()
                .and()
                .authorizeHttpRequests()
                .requestMatchers( HttpMethod.OPTIONS ).permitAll()
                .requestMatchers( "/system/**" ).hasRole( new SecurityRole( Role.ROLE_SYSTEM ).toString() )
                .requestMatchers( "/admin/**" ).hasRole( new SecurityRole( Role.ROLE_AUTH_ADMIN ).toString() )
                .requestMatchers( "/identity/**" ).hasRole( new SecurityRole( Role.ROLE_AUTH_IDENTITY ).toString() )
                .requestMatchers( "/guest/**" ).permitAll()
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt );

        return http.build();
    }

所有由"/guest/**"端点抛出的异常都被转换为HTTP 401,而不包含异常体。即使我使用此类发出HTTP 409:

@ResponseStatus( code = HttpStatus.CONFLICT )
public class HttpConflictException extends RuntimeException {
    public HttpConflictException( String message ) {
        super( message );
    }
}

重要信息:如果没有引发异常,查询将正常工作
如果这条线

.requestMatchers( "/guest/**" ).permitAll()

被替换为

.requestMatchers( "/**" ).permitAll()

它工作。但这个选项似乎太危险。我不明白的东西吗?我还没有看到任何在文档中可以帮助解决这个问题。
依赖关系:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

谢谢你。

8ehkhllq

8ehkhllq1#

好吧,我找到了一个似乎有效的解决办法。
添加以下行可解决问题:

.dispatcherTypeMatchers( DispatcherType.ERROR ).permitAll()

完整代码:

@Bean
    public SecurityFilterChain filterChain( final HttpSecurity http ) throws Exception {
        http
                .cors().and().csrf().disable()
                .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS )
                .and()
                .anonymous()
                .and()
                .authorizeHttpRequests()
                .dispatcherTypeMatchers( DispatcherType.ERROR ).permitAll()
                .requestMatchers( HttpMethod.OPTIONS ).permitAll()
                .requestMatchers( "/guest/**" ).permitAll()
                .requestMatchers( "/system/**" ).hasRole( new SecurityRole( Role.ROLE_SYSTEM ).toString() )
                .requestMatchers( "/admin/**" ).hasRole( new SecurityRole( Role.ROLE_AUTH_ADMIN ).toString() )
                .requestMatchers( "/identity/**" ).hasRole( new SecurityRole( Role.ROLE_AUTH_IDENTITY ).toString() )
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt );

        return http.build();
    }

文件:https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html

相关问题