所以我有RestEventsController,它有一个使用add逻辑的EventsController's函数。我已经建立了一个这样的本地测试客户端:
App::uses('HttpSocket', 'Network/Http');
class ClientController extends AppController {
public $components = array('Security', 'RequestHandler');
public function index(){
}
public function request_add(){
// remotely post the information to the server
$link = "http://" . $_SERVER['HTTP_HOST'] . $this->webroot.'rest_events.json';
$data = null;
$httpSocket = new HttpSocket();
$data['Event']['user_id'] = '1234';
$data['Event']['date'] = '2014-07-14';
$response = $httpSocket->post($link, $data );
$this->set('response_code', $response->code);
$this->set('response_body', $response->body);
$this -> render('/Client/request_add');
}
}
它应该向RESTful控制器发出HTTP请求,但我得到的响应表明:
{"name":"The request has been black-holed","url":"\/application\/rest_events.json"}
即使过滤前的AppController's操作已解锁,如下所示:
public function beforeFilter(){
if(in_array($this->params['controller'], array('rest_events'))){
$this->Auth->allow();
$this->Security->requireSecure();
$this->Security->unlockedActions = array('index', 'add');
}else{
$this->Auth->allow('index', 'view');
$this->set('logged_in', $this->Auth->loggedIn());
$this->set('current_user', $this->Auth->user());
}
}
这里可能出现什么问题?
非常感谢任何帮助或指导。
答案 0 :(得分:2)
可能SecurityComponent::requireSecure() vs http,即使用不发出安全请求。
如果您希望将操作添加到SecurityComponent::$unlockedActions会将其排除在安全检查之外,不是,情况并非如此,则解锁操作仅从POST数据验证和CSRF检查中排除。
因此,要么使用https,要么根据请求的操作不激活requireSecure(),例如:
if(!in_array($this->request->params['action'], $this->Security->unlockedActions)) {
$this->Security->requireSecure();
}
另请注意,您可以使用SecurityComponent::$blackHoleCallback在控制器上定义一个回调黑洞调用的回调,并接收您可以检查或写入日志的错误类型。
public function beforeFilter() {
$this->Security->blackHoleCallback = 'blackhole';
}
public function blackhole($type) {
debug($type);
throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
}
请注意,一旦定义了黑洞回调,安全组件就不再throw a BadRequestException了,您必须自己做!
有关详细信息,请参阅 Cookbook > Security Component > Handling blackhole callbacks 。