登录后,我被重定向到/robots.txt

时间:2018-09-06 13:50:16

标签: spring-boot spring-security

因此,从几周后的今天开始,我们注意到使用Spring Boot和Spring Security的几个项目出现了一些奇怪的行为。

几乎只有OSX用户似乎有此问题,但是每当我们登录到应用程序时,它都会随机重定向回robots.txt

我意识到这可能还不够,但是很遗憾,这就是我得到的全部信息。到目前为止,我们仅在OSX和3个不同的项目(一些实时项目和一些在本地运行的项目)中看到此弹出窗口

服务器日志将其作为请求信息(我删除/混淆了一些真实信息):

Request parameters:


Request attributes:
javax.servlet.forward.request_uri: '/robots.txt'
javax.servlet.forward.context_path: ''
javax.servlet.forward.servlet_path: '/robots.txt'
javax.servlet.forward.mapping: 'org.apache.catalina.core.ApplicationMapping$MappingImpl@4352fb9f'
org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER: 'org.springframework.web.context.request.async.WebAsyncManager@d83be2'
javax.servlet.error.status_code: '404'
org.springframework.web.servlet.DispatcherServlet.CONTEXT: 'org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext@6e521844: startup date [Tue Aug 28 16:09:57 CEST 2018]; root of context hierarchy'
org.springframework.web.servlet.resource.ResourceUrlProvider: 'org.springframework.web.servlet.resource.ResourceUrlProvider@f1e816f'
org.springframework.web.servlet.HandlerMapping.introspectTypeLevelMapping: 'false'
javax.servlet.http.HttpServletResponse: 'org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterResponse@1609a68b'
__spring_security_session_mgmt_filter_applied: 'true'
characterEncodingFilter.FILTERED: 'true'
_csrf: 'SaveOnAccessCsrfToken [delegate=org.springframework.security.web.csrf.DefaultCsrfToken@aa7c61f]'
__spring_security_filterSecurityInterceptor_filterApplied: 'true'
org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter$TimingContext: 'org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter$TimingContext@5efd5ad7'
org.springframework.web.servlet.DispatcherServlet.THEME_SOURCE: 'org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext@6e521844: startup date [Tue Aug 28 16:09:57 CEST 2018]; root of context hierarchy'
org.springframework.web.servlet.HandlerMapping.producibleMediaTypes: '[text/html]'
org.springframework.web.servlet.DispatcherServlet.LOCALE_RESOLVER: 'org.springframework.web.servlet.i18n.FixedLocaleResolver@5602d5b5'
org.springframework.web.servlet.HandlerMapping.bestMatchingPattern: '/error'
org.springframework.web.servlet.DispatcherServlet.OUTPUT_FLASH_MAP: 'FlashMap [attributes={}, targetRequestPath=null, targetRequestParams={}]'
errorPageFilter.FILTERED: 'true'
org.springframework.web.servlet.HandlerMapping.pathWithinHandlerMapping: '/error'
org.springframework.web.servlet.DispatcherServlet.FLASH_MAP_MANAGER: 'org.springframework.web.servlet.support.SessionFlashMapManager@1fbb7dc1'
org.springframework.security.web.csrf.CsrfToken: 'SaveOnAccessCsrfToken [delegate=org.springframework.security.web.csrf.DefaultCsrfToken@aa7c61f]'
javax.servlet.error.request_uri: '/robots.txt'
org.springframework.web.servlet.HandlerMapping.uriTemplateVariables: '{}'
org.springframework.web.servlet.DispatcherServlet.THEME_RESOLVER: 'org.springframework.web.servlet.theme.FixedThemeResolver@445dbd43'

Request headers:
host: 'website.com';
connection: 'keep-alive';
Cache-Control: 'max-age=0';
Upgrade-Insecure-Requests: '1';
user-agent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36';
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8';
referer: 'https://website.com/login';
Accept-Encoding: 'gzip, deflate, br';
Accept-Language: 'en-GB,en-US;q=0.9,en;q=0.8';
cookie: 'JSESSIONID=6909C15700507E59492ECE290D8288B4';
content-length: '0';

Session attributes:
SPRING_SECURITY_CONTEXT: org.springframework.security.core.context.SecurityContextImpl@2d2bdc98: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2d2bdc98: Principal: com.company.application.security.UserDetails@dc9e9848: Username: username; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_CUSTOMER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 0.0.0.0; SessionId: 2CD3B5E833D51BE0AB34455CFCC3E644; Granted Authorities: ROLE_ADMIN, ROLE_CUSTOMER

有人知道为什么会这样吗

1 个答案:

答案 0 :(得分:4)

我猜测浏览器或其中一个插件正在请求/robots.txt。对于发生这种情况的用户,您可以检查流量并查看是否正在请求流量。

它仅偶尔发生的原因是它可能是种族状况。 Spring Security将重定向到所请求的最后一个非公开的URL。

您可以尝试通过将/robots.txt标记为allowAll来解决此问题

Java Config 

http
    .authorizeRequests()
        .mvcMatchers("/robots.txt").permitAll()
        ...

XML配置

<http ...>
    <intercept-url pattern="/robots.txt" access="permitAll"/>
    ...
</http>
相关问题
最新问题