春季安全返回 403 而不是 401,并创建无效的 Redis 会话 Cookie。

huangapple go评论76阅读模式
英文:

Spring Security returns 403 instead of 401 and creates invalid Redis session cookie

问题

我正在使用Spring Security和Spring Data Redis来跟踪具有自定义角色和权限的用户会话。当我尝试在浏览器中访问一个需要预授权的端点但没有会话cookie时,它应该返回401错误。然而实际情况是会创建一个新的(无效的)会话cookie,并且该端点返回403错误。

这是我的SecurityConfig:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
                .csrf().disable().cors();
    }
}

我还在使用MethodSecurityConfigUserDetails的实现来解析用户认证中的自定义字段。

英文:

I'm using Spring Security and Spring Data Redis to keep track of user sessions with custom roles and entitlements. When I try to hit a PreAuthorized endpoint without a session cookie in my browser, it should return a 401. Instead a new (invalid) session cookie is created and the endpoint returns a 403.

Here's my SecurityConfig:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
                .csrf().disable().cors();
    }
}

I'm also using MethodSecurityConfig and an implementation of UserDetails to parse the custom fields from the user authentication.

答案1

得分: 1

这是修复方法,适用于将来遇到类似问题的人:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()
                .csrf().disable().cors().and()
                .requestCache().disable().exceptionHandling().and()
                .authorizeRequests().anyRequest().authenticated().and()
                .exceptionHandling().authenticationEntryPoint(
                        new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
    }
英文:

Here's the fix, for anyone who encounters a similar issue down the line:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER).and()   //let redis handle session creation
                .csrf().disable().cors().and()
                .requestCache().disable().exceptionHandling().and()                         //prevent exception creating duplicate session
                .authorizeRequests().anyRequest().authenticated().and()                     //all endpoints need auth
                .exceptionHandling().authenticationEntryPoint(
                        new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));                 //return 401 on no session
    }

huangapple
  • 本文由 发表于 2020年10月14日 21:22:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/64354259.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定