401 Unauthorized - 当尝试点击 Spring 应用程序的休息服务时

Posted

技术标签:

【中文标题】401 Unauthorized - 当尝试点击 Spring 应用程序的休息服务时【英文标题】:401 Unauthorized - when try to hit rest service of Spring application 【发布时间】:2019-04-02 11:15:10 【问题描述】:

当尝试在请求中传递 Authorization 标头时尝试点击 Spring 应用程序的 rest webservice 得到 401- Unauthorized。我不想让 spring 验证或验证我的标头,但我想将 Authorization 标头发送到端点。

web.xml

<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>Test Tool</display-name>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/root-context.xml</param-value>
</context-param>

<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<servlet>
    <servlet-name>spring-dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/SpringConfig.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>spring-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>

<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

</web-app>

spring-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <http auto-config="true" use-expressions="true">
    <intercept-url pattern="/v1.2/transfers/**" access="permitAll" />
    <logout logout-success-url="/home" delete-cookies="JSESSIONID"/>
    </http>

    <authentication-manager>
    <authentication-provider>
    <user-service>
    <user name="admin" password="admin" authorities="ROLE_USER" />
    </user-service> 
    </authentication-provider>
    </authentication-manager>
</beans:beans>

我正在尝试从客户端工具 /v1.2/transfers/**** 调用以下服务

Spring-Config.xml

<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:context="http://www.springframework.org/schema/context"
   xmlns:util="http://www.springframework.org/schema/util"
   xmlns:mvc="http://www.springframework.org/schema/mvc"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
      http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
      http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
      http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd">

    <context:annotation-config />   
    <context:component-scan base-package="com.test.demo" />   
    <bean name="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" /> 
</beans>

【问题讨论】:

【参考方案1】:

为 REST api 端点启用 http 模式,如下所示。

<http pattern="/v1.2/transfers/**" security="none"/>

【讨论】:

感谢您的回复,当我尝试这个时,我得到 404。 无论您输入什么模式,这些 url 都会为安全性而开放,这意味着您无需登录即可访问。所以只需将 url.so 放在这里 /v1.2/transfers/ /v1.2 之后的任何 url /transfers 将从安全中打开。 30-Oct-2018 13:07:32.753 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal 一个或多个监听器无法启动。完整的详细信息将在相应的容器日志文件中找到 30-Oct-2018 13:07:32.757 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [/testtool-1.4.0-SNAPSHOT ] 由于之前的错误,启动失败

以上是关于401 Unauthorized - 当尝试点击 Spring 应用程序的休息服务时的主要内容,如果未能解决你的问题,请参考以下文章

如何修复PUT Invoke-RestMethod中的“401 Unauthorized”错误(试图替换存储过程)

401 Unauthorized 尝试调用谷歌云功能时

当客户端在 /.auth/login/aad 端点上发布访问令牌时,为啥 EasyAuth 返回 401 Unauthorized 状态?

通过 Axios 和有效 JWT 发布时,WordPress REST API 返回 401 Unauthorized

401 Unauthorized vs 403 Forbidden:当用户没有登录时,哪个是正确的状态码? [复制]

尝试控制台时收到 401~UNAUTHORIZED。记录我从 socket.io 收到的消息