Spring Boot HEAD 请求返回 403
Posted
技术标签:
【中文标题】Spring Boot HEAD 请求返回 403【英文标题】:Spring boot HEAD requests are returning 403 【发布时间】:2021-07-14 09:46:20 【问题描述】:我有一个 Spring Boot 项目,我在其中使用 Spring 安全性。我有几个端点可以通过HEAD HTTP 方法访问。但是,当我访问它们时,我遇到了 403 问题。我已尝试在 Cloud Foundry 上部署此应用。
我为 Spring Security 启用了调试日志,并在应用部署时注意到以下内容
For security constraints with URL pattern [/*] only the HTTP methods [HEAD OPTIONS] are covered. All other methods are uncovered.
这是 403 错误的原因吗? 我还尝试创建一个自定义过滤器以将响应返回为 200 OK,并将过滤器放置为最高优先级,而将 Spring Security 过滤器设置为最低优先级。然而,403 错误。
弹簧配置-
@Override
protected void configure(HttpSecurity http) throws Exception
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("api/v1/**").authenticated()
.antMatchers("actuator/**").hasAuthority("Internal")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.bearerTokenResolver(new ...)
.jwt()
.jwtAuthenticationConverter(getJwtAuthenticationConverter());
http.headers().frameOptions().disable();
项目中没有web.xml。
编辑
添加更多信息。
-
HEAD 端点详细信息
@RestController
@RequestMapping("/api/v2")
public class GenericController
private static final Logger oLogger = LoggerFactory.getLogger(GenericController.class);
@RequestMapping(value="head", method = RequestMethod.HEAD)
public String getHead()
oLogger.debug("HEAD call");
return "OK";
-
添加Spring security Config相关信息
@Profile("cloud")
@Configuration
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Override
public void configure(WebSecurity web) throws Exception
web.ignoring().mvcMatchers("actuator/health", "actuator/health/**");
@Override
protected void configure(HttpSecurity http) throws Exception
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("api/v2/**").authenticated()
.antMatchers("actuator/**").hasAuthority("Internal")
.anyRequest().authenticated()
.and()
.oauth2ResourceServer()
.bearerTokenResolver(new ...(...))
.jwt()
.jwtAuthenticationConverter(getJwtAuthenticationConverter());
http.headers().frameOptions().disable();
-
我已在整个应用程序级别启用 DEBUG 日志级别。我也与执行器进行了交叉验证,结果如下。
在此之后,我尝试调用 Endpoint,我收到的唯一日志如下 -
2021-04-22T11: 27: 56.52+0530 [RTR/0
] OUT runtime......com - [
2021-04-22T05: 57: 56.514492433Z
] "HEAD /api/v2/head HTTP/1.1" 403 0 0 "-" "PostmanRuntime/7.26.10" "-" "10.0.137.10:61266" x_forwarded_for: "-" x_forwarded_proto: "https" vcap_request_id: "dbe3fb9c-137c-43ac-7e1c-83676999c500" response_time: 0.013301 gorouter_time: 0.000090 app_id: "c40362dd-c3f0-4761-a4c4-4a0e2fd99796" app_index: "0" x_cf_routererror: "-" x_correlationid: "-" tenantid: "-" sap_passport: "-" x_scp_request_id: "bb61bf42-9a83-4b45-b9ae-07ef8db69fe6-60811063-2BE5AA" x_cf_app_instance: "-" x_forwarded_host: "-" x_custom_host: "-" x_b3_traceid: "323746048bfbc90d" x_b3_spanid: "323746048bfbc90d" x_b3_parentspanid: "-" b3: "323746048bfbc90d-323746048bfbc90d"
2021-04-22T11: 27: 56.52+0530 [RTR/0
] OUT
项目中没有web.xml,但是在应用程序启动时,我收到了关于[HEAD and OPTIONS]请求的上述警告(粘贴在上面)。
编辑 2
因此,我在整个应用程序中重新启用了调试模式,并尝试使用 HEAD 和 GET Http 方法访问相同的 API 端点 - 以显示日志中的对比。以下是我通过cf logs <<APP_NAME>>获取的调试日志。
注意 - 一些敏感的 URL/用户信息已从日志中删除。
GET 调用 /api/v2/head 返回 405 Method Not allowed,这是预期的。以下是 cf 日志 -
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.034 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v2/head'; against '/cloudfoundryapplication/**'
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.037 INFO 7 --- [0.0-8080-exec-4] Spring Security Debugger :
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT ************************************************************
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT Request received for GET '/api/v2/head':
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT org.apache.catalina.connector.RequestFacade@7ac950f3
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT servletPath:/api/v2/head
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT pathInfo:null
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT headers:
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT host: <<APP_URL>>
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT user-agent: PostmanRuntime/7.26.10
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT accept: */*
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT accept-encoding: gzip, deflate, br
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT authorization: Bearer ....
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT b3: a1a81b1681479e0d-a1a81b1681479e0d
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT cache-control: no-cache
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT postman-token: d1d3f9ed-e3d1-4bb2-86fb-772f4dc2613b
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-b3-spanid: a1a81b1681479e0d
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-b3-traceid: a1a81b1681479e0d
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-cf-applicationid: c40362dd-c3f0-4761-a4c4-4a0e2fd99796
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-cf-instanceid: 067e01f5-c736-4804-7d20-b847
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-cf-instanceindex: 0
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-vcap-request-id: e33cdf0a-9e1a-4d95-7169-6c24a3413357
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-forwarded-proto: https
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-request-start: 1619154128021
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT x-scp-request-id: cab4a4ec-7f3b-47ca-ada6-7236a02aeb16-608254CF-1018CBB
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT Security filter chain: [
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT WebAsyncManagerIntegrationFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT SecurityContextPersistenceFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT HeaderWriterFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT CsrfFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT LogoutFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT BearerTokenAuthenticationFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT RequestCacheAwareFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT SecurityContextHolderAwareRequestFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT AnonymousAuthenticationFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT SessionManagementFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT ExceptionTranslationFilter
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT FilterSecurityInterceptor
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT ]
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT ************************************************************
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.037 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v2/head'; against '/cloudfoundryapplication/**'
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Trying to match using org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher@17df04b2
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.util.matcher.AndRequestMatcher : Did not match
2021-04-23T10:32:08.03+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /api/v2/head' doesn't match 'POST /logout'
2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.039 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 6 of 12 in additional filter chain; firing Filter: 'BearerTokenAuthenticationFilter'
2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.040 DEBUG 7 --- [0.0-8080-exec-4] c.s.c.s.xsuaa.extractor.TokenUtil : System environment variable I.... is set to null
2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.040 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider
2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.040 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate : HTTP GET https://..../token_keys
2021-04-23T10:32:08.04+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.041 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate : Accept=[text/plain, application/json, application/*+json, */*]
2021-04-23T10:32:08.07+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.079 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate : Response 200 OK
2021-04-23T10:32:08.07+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.079 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.client.RestTemplate : Reading to [java.lang.String] as "application/json"
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : SecurityContextHolder not populated with anonymous token, as it already contained: ....AuthenticationToken@5b1cc3d9: Principal: user/user@xyz.com; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 169.145.206.236; SessionId: null; Granted Authorities: ...'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@6e3a74b5
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.csrf.CsrfAuthenticationStrategy@3f28b2df
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v2/head'; against 'api/v2/**'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/api/v2/head'; against 'actuator/**'
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /api/v2/head; Attributes: [authenticated]
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.080 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: ....; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 169.145.206.236; SessionId: null; Granted Authorities: ...
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@12459b37, returned: 1
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.security.web.FilterChainProxy : /api/v2/head reached end of additional filter chain; proceeding with original chain
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.081 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet : GET "/api/v2/head", parameters=
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 WARN 7 --- [0.0-8080-exec-4] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported]
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet : Completed 405 METHOD_NOT_ALLOWED
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.082 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet : "FORWARD" dispatch for GET "/error", parameters=
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] o.j.s.OpenEntityManagerInViewInterceptor : Opening JPA EntityManager in OpenEntityManagerInViewInterceptor
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [*/*] and supported [application/json, application/*+json, application/json, application/*+json]
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.083 DEBUG 7 --- [0.0-8080-exec-4] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Writing [timestamp=Fri Apr 23 05:02:08 UTC 2021, status=405, error=Method Not Allowed, message=, path=/api/v (truncated)...]
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.084 DEBUG 7 --- [0.0-8080-exec-4] o.j.s.OpenEntityManagerInViewInterceptor : Closing JPA EntityManager in OpenEntityManagerInViewInterceptor
2021-04-23T10:32:08.08+0530 [APP/PROC/WEB/0] OUT 2021-04-23 05:02:08.084 DEBUG 7 --- [0.0-8080-exec-4] o.s.web.servlet.DispatcherServlet : Exiting from "FORWARD" dispatch, status 405
2021-04-23T10:32:08.08+0530 [RTR/9] OUT <<APP_URL>> - [2021-04-23T05:02:08.021406510Z] "GET /api/v2/head HTTP/1.1" 405 0 136 "-" "PostmanRuntime/7.26.10" "-" "10.0.138.38:61258" x_forwarded_for:"-" x_forwarded_proto:"https" vcap_request_id:"e33cdf0a-9e1a-4d95-7169-6c24a3413357" response_time:0.064141 gorouter_time:0.000084 app_id:"c40362dd-c3f0-4761-a4c4-4a0e2fd99796" app_index:"0" x_cf_routererror:"-" x_correlationid:"-" tenantid:"-" ...:"-" x_scp_request_id:"cab4a4ec-7f3b-47ca-ada6-7236a02aeb16-608254CF-1018CBB" x_cf_app_instance:"-" x_forwarded_host:"-" x_custom_host:"-" x_b3_traceid:"a1a81b1681479e0d" x_b3_spanid:"a1a81b1681479e0d" x_b3_parentspanid:"-" b3:"a1a81b1681479e0d-a1a81b1681479e0d"
-
在这之后,我用
HEAD Http 方法尝试了相同的API 端点。它返回 403,但缺少 spring 安全日志。就好像 API 在到达 spring 容器中的 DispatcherServlet 之前就被过滤掉了。我收到的唯一日志如下-
2021-04-23T10: 59: 30.06+0530 [RTR/10
] OUT <<APP_URL>> - [
2021-04-23T05: 29: 30.016853591Z
] "HEAD /api/v2/head HTTP/1.1" 403 0 0 "-" "PostmanRuntime/7.26.10" "-" "10.0.138.38:61258" x_forwarded_for: "-" x_forwarded_proto: "https" vcap_request_id: "f68ece10-c7e5-4d25-46a8-87ab1111448c" response_time: 0.045167 gorouter_time: 0.000078 app_id: "c40362dd-c3f0-4761-a4c4-4a0e2fd99796" app_index: "0" x_cf_routererror: "-" x_correlationid: "-" tenantid: "-" ..: "-" x_scp_request_id: "a729ee4e-7440-4beb-85ac-fdd6bd05e7ba-60825B39-BF580A" x_cf_app_instance: "-" x_forwarded_host: "-" x_custom_host: "-" x_b3_traceid: "c8c055af860ea548" x_b3_spanid: "c8c055af860ea548" x_b3_parentspanid: "-" b3: "c8c055af860ea548-c8c055af860ea548"
2021-04-23T10: 59: 30.06+0530 [RTR/10
] OUT
【问题讨论】:
您能否为请求包含一整套将 Spring Security 设置为 DEBUG 的日志?启动您的应用程序,清除日志,发送请求,发布所有显示的内容。另外,删除您的过滤器。你不想或不需要这样做。 @DanielMikusa 我已经添加了详细信息 您是否看到来自org.springframework.security 的任何调试日志?您实际上只需要为该特定包启用日志记录调试。它将为您提供足够的信息来调试问题如果 403 来自 Spring Security。您显示的日志看起来像不是来自您的应用程序的 Gorouter 日志条目。尝试在本地运行并确认您获得了预期的日志。然后试试CF。确保您正在登录到 STDOUT/STDERR 并且 NOT 文件。您必须为 CF 执行此操作,以便通过 cf logs 提供您的日志。
@DanielMikusa 我知道 spring-security 包上的 DEBUG 日志,但我在 ROOT 上这样做只是为了捕获其他所有内容。其次,是的,日志当前正在 STDOUT 中打印,而不是在任何文件中。第三,我已经用更多细节更新了帖子。我认为 HEAD 调用甚至在它到达 Servlet 容器之前就被过滤掉了。可能是由于云铸造上的tomcat吗? CF中使用的JVM的详细信息可以在这里找到-help.sap.com/viewer/92683dbf07554b01b9d9fd8db39fe622/Cloud/…
我同意,您似乎正在获取 Spring 安全日志,因为您是通过 GET 请求获取它们的。该部分有效,因此如果请求发送到您的应用程序,那么 HEAD 请求应该会产生类似的日志。我想应用服务器可能会这样做,但 Spring Boot 使用的默认 Tomcat 配置不会,Java buildpack 配置的默认 Tomcat 也不会。您当然可以自定义两者并导致不同的行为。不过,鉴于您获得了 Gorouter 日志,该请求似乎正在发送到您的应用容器。
【参考方案1】:
您需要绕过安全过滤器,否则您的应用仍会尝试对其进行身份验证。
尝试添加:
.antMatchers(HttpMethod.HEAD, "/**").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
之前
.antMatchers("api/v1/**").authenticated()
【讨论】:
以上是关于Spring Boot HEAD 请求返回 403的主要内容,如果未能解决你的问题,请参考以下文章
当 Origin 被定义为 webapp 自己的主机名以外的任何内容时,Spring boot 2.2.4.RELEASE 为 GET 请求返回 403
尽管我有管理员权限,但 Spring Boot 返回 403
执行 POST 请求时的 Spring Boot 端点 403 OPTIONS
Spring Boot + Spring Security 应用程序中 POST/PUT/DELETE 请求的 403 响应