ResponseStatusException永远不会返回给用户

时间:2019-01-01 01:30:14

标签: spring-boot spring-security exception-handling

我有一个Spring Boot Rest API,它在允许请求通过请求的方法之前进行了一些验证过滤。当它到达请求的端点时,我对发送到服务器的数据进行了一些验证,如果数据格式不正确,我想返回一个BAD REQUEST响应。但是,尝试抛出Springs ResponseStatusException不起作用,而是始终返回403 Forbidden,我也不知道为什么。

@Configuration
@EnableWebSecurity
@Slf4j
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
JWTUtility jwtUtility;
@Autowired
UserRepository repository;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtility, repository))
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

@Override
public void configure(WebSecurity web) throws Exception {
    web
            .ignoring()
            .antMatchers(HttpMethod.POST, "/users");
}
}


@RestController
@RequestMapping("/users")
@Slf4j
public class UserController {
private final UserRepository repository;
private final Pbkdf2PasswordEncoder passwordEncoder;

UserController(UserRepository repository, Pbkdf2PasswordEncoder passwordEncoder, JWTUtility jwtUtility) {
    this.repository = repository;
    this.passwordEncoder = passwordEncoder;
    this.jwtUtility = jwtUtility;
}

@PostMapping
User create(@RequestBody User user) {
    if (user.getFirstName() == null || user.getFirstName().isEmpty()
            || user.getLastName() == null || user.getLastName().isEmpty()
            || user.getEmail() == null || user.getEmail().isEmpty()
            || user.getDisplayName() == null || user.getDisplayName().isEmpty()
            || user.getPassword() == null || user.getPassword().isEmpty()) {
        throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "First name, last name, email, display name, and password must be provided when creating a new user.");
    }
    if (repository.findByEmail(user.getEmail()) != null) {
        throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "A user with that email already exists");
    }
    if (repository.findByDisplayName(user.getDisplayName()) != null) {
        throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "A user with that display name already exists");
    }

    user.setId(0);
    user.setPassword(passwordEncoder.encode(user.getPassword()));

    repository.save(user);

    return user;
}
}

我希望这个错误的请求能够使用我提供的描述将其返回给用户。 Spring在某处拦截了吗?以及如何阻止它。

1 个答案:

答案 0 :(得分:0)

原来这是安全性配置的问题,而我在Web安全性配置中忽略了/users端点,从而使请求通过该方法,显然在该方法中引发异常导致了HTTP安全性参与并拦截它。

因此,将我的http安全性更改为这样,

http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, "/users").permitAll()
                .and()
                .addFilter(new JWTAuthenticationFilter(authenticationManager(), jwtUtility, repository))
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

解决了问题。奇怪的是,它的行为是这样的,因为如果请求成功并且我不需要抛出异常,则用户对象返回的就很好。似乎引发异常导致它不仅关注网络安全,而且还关注http安全。

相关问题
最新问题