Spring Boot 应用程序端点返回 403

Posted

技术标签:

【中文标题】Spring Boot 应用程序端点返回 403【英文标题】:Spring Boot application endpoint returns 403 【发布时间】:2019-04-02 14:23:16 【问题描述】:

我是 Spring Boot 新手,目前卡住了。我遵循了这个 (https://github.com/AppDirect/service-integration-sdk/wiki) 教程,因为我想实现一个将自身集成到 AppDirect 中的应用程序。在日志中,我可以看到端点被创建和映射:

2018-10-29 16:32:48.898  INFO 8644 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "[/api/v1/integration/processEvent],methods=[GET],produces=[application/json]" onto public org.springframework.http.ResponseEntity<com.appdirect.sdk.appmarket.events.APIResult> com.appdirect.sdk.appmarket.events.AppmarketEventController.processEvent(javax.servlet.http.HttpServletRequest,java.lang.String)

但是当我尝试使用浏览器或 Http-Requester 访问端点 (http://localhost:8080/api/v1/integration/processEvent) 时,我得到以下响应: timestamp":"2018-10-29T08:50:13.252+0000","status":403,"error":"Forbidden","message":"Access Denied","path":"/api/v1 /integration/processEvent"

我的 application.yml 看起来像这样:

connector.allowed.credentials: very-secure:password

server:
  use-forward-headers: true
  tomcat:
    remote_ip_header: x-forwarded-for

endpoints:
  enabled: true
  info:
    enabled: true
    sensitive: false
  health:
    enabled: true
    sensitive: false
    time-to-live: 5000

info:
  build:
    name: @project.name@
    description: @project.description@
    version: @project.version@

这是我的 Application.java:

package de.....;

import java.nio.charset.Charset;
import java.util.Collections;
import java.util.List;

import org.springframework.boot.SpringApplication;
import org.springframework.http.MediaType;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

public class Application extends WebMvcConfigurerAdapter 
    public static void main(String... args) 
        SpringApplication.run(RootConfiguration.class, args);
    

    /**
     * Hack to make Spring Boot @Controller annotated classed to recognize the 'x-www-form-urlencoded' media type
     *
     * @param converters
     */
    @Override
    public void configureMessageConverters(List<HttpMessageConverter<?>> converters) 
        FormHttpMessageConverter converter = new FormHttpMessageConverter();
        MediaType mediaType = new MediaType("application", "x-www-form-urlencoded", Charset.forName("UTF-8"));
        converter.setSupportedMediaTypes(Collections.singletonList(mediaType));
        converters.add(converter);
        super.configureMessageConverters(converters);
    

这是 RootConfiguration.java:

package de.....;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;

import com.appdirect.sdk.ConnectorSdkConfiguration;
import com.appdirect.sdk.appmarket.DeveloperSpecificAppmarketCredentialsSupplier;
import com.appdirect.sdk.credentials.StringBackedCredentialsSupplier;

import de.....;

@Configuration
@Import(
    ConnectorSdkConfiguration.class,
    EventHandlersConfiguration.class
)
@EnableAutoConfiguration
public class RootConfiguration 

    @Bean
    public DeveloperSpecificAppmarketCredentialsSupplier environmentCredentialsSupplier(@Value("$connector.allowed.credentials") String allowedCredentials) 
        return new StringBackedCredentialsSupplier(allowedCredentials);
    

感谢任何帮助,因为密集的谷歌搜索没有帮助。 提前致谢。

【问题讨论】:

您使用的是 Spring Security,对吗?如果是这样,您应该知道默认情况下所有端点都是安全的,因此您必须登录才能进一步请求资源。如果您不打算保护端点,请从依赖项中删除 Spring Security。 感谢您为我指明了正确的方向。以下页面引导我找到我的解决方案,请参阅下面的我自己的答案:***.com/questions/23894010/… 【参考方案1】:

添加以下类并在 Application.java 中注册它解决了我的问题:

package de.......;

import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
@Order(1)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter 

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception 
        httpSecurity.authorizeRequests().antMatchers("/").permitAll();
    


【讨论】:

以上是关于Spring Boot 应用程序端点返回 403的主要内容,如果未能解决你的问题,请参考以下文章

执行 POST 请求时的 Spring Boot 端点 403 OPTIONS

尽管我有管理员权限,但 Spring Boot 返回 403

Spring Boot:发生 RESTFul 错误(404、403、500)时获取 JSON 正文

对于未经身份验证的请求,Keycloak spring boot 返回 403 而不是 401

使用 @PreAuthorize 时从 Spring 控制器返回 405 与 403

Spring Boot 安全性 403 重定向