Spring Security StrictHttpFirewall.setAllowedHostnames:为什么`localhost`在白名单中,但仍然被拒绝?

jv4diomz  于 2023-08-05  发布在  Spring
关注(0)|答案(2)|浏览(116)

我正在使用Java 11,Sping Boot 2.3.12.RELEASE,Windows 11 x64。关于CMD

Microsoft Windows [Version 10.0.22621.1848]
(c) Microsoft Corporation. All rights reserved.

C:\Users\admin>hostname
DESKTOP-84LARLB

C:\Users\admin>

字符串
组态设定

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    //...
    StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
    strictHttpFirewall.setAllowBackSlash(true);
    strictHttpFirewall.setAllowedHostnames(hostName ->             
    hostName.equals("http://localhost"));
    strictHttpFirewall.setAllowedHostnames(hostName -> hostName.equals("DESKTOP-84LARLB"));

strictHttpFirewall.setAllowedHostnames(hostName ->             
    hostName.equals("localhost"));


Postman :

GET http://localhost:8083/foo/bar/baa


误差,误差

2023-07-05 14:20:33.115 ERROR--[25-nio-8083-exec-2] [                                        ]o.a.c.c.C.[.[localhost]        :Exception Processing ErrorPage[errorCode=0, location=/error]
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the domain localhost is untrusted.
    at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedUntrustedHosts(StrictHttpFirewall.java:382)
    at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:337)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:103)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:710)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:459)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:384)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:312)
    at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:398)
    at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:257)
    at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:352)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:177)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1707)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:834)


为什么localhost在白名单中,但仍然被拒绝?

uqjltbpv

uqjltbpv1#

根据文档,HttpFirewall需要是一个单独的Bean:

@Configuration
public class Security {
...
  @Bean
  public StrictHttpFirewall httpFirewall() {
    StrictHttpFirewall strictHttpFireWall = new StrictHttpFirewall();
    strictHttpFirewall.setAllowBackSlash(true);
    strictHttpFirewall.setAllowedHostnames(hostName ->             
    hostName.equals("http://localhost"));

    strictHttpFirewall.setAllowedHostnames(hostName ->             
    hostName.equals("localhost"));
  }
...
}

字符串
我在本地测试了这个,这个工作。默认值是允许每个主机名,因此即使不显式添加localhost,将其放入bean中也应该可以工作

uidvcgyl

uidvcgyl2#


的数据
默认允许所有主机,如果指出特定主机,则拒绝。

相关问题