我有spring boot + spring安全应用程序,我发现了奇怪的行为。当我发送错误授权(基本)的请求时,我收到正文中的正常错误消息:
{
"timestamp": "2018-01-15T11:59:31.837+0000",
"status": 401,
"error": "Unauthorized",
"message": "Bad credentials",
"path": "/karbonator/api/v1/wallet"
}
但如果我在标题中加上 X-Requested-With:XMLHttpRequest ,我只会收到状态401 没有正文。
这是正常的吗?如何修复它并在标题 XMLHttpRequest 的正文中收到错误消息?
Spring引导版本 1.5.9.RELEASE
我不使用任何自定义标头过滤器。安全配置很简单:
SecurityBeanConfiguration
@Configuration
public class SecurityBeanConfiguration extends GlobalAuthenticationConfigurerAdapter {
@Autowired
private UserRepository userRepository;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService());
}
@Bean
UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
User user = userRepository.get(s);
if (Objects.nonNull(user)) {
return new org.springframework.security.core.userdetails.User(
user.getUsername(),
user.getPassword(),
true,
true,
true,
true,
AuthorityUtils.createAuthorityList(""));
} else {
throw new UsernameNotFoundException("Could not find the user " + s);
}
}
};
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService());
return provider;
}
}
SecurityConfiguration
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private DaoAuthenticationProvider authenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and().httpBasic()
.and().csrf().disable()
;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
}
此处提供的所有项目:https://github.com/rublin/XMLHttpRequest
P.S。它看起来像Spring Security issue