差異處
這裏顯示兩個版本的差異處。
java:web:restapi:x-http-method-override_filter [2016/02/26 21:52] tony [Trace] |
java:web:restapi:x-http-method-override_filter [2023/06/25 09:48] |
||
---|---|---|---|
行 1: | 行 1: | ||
- | ====== Incorrect response(401) when using X-HTTP-Method-Override ====== | ||
- | ===== Problem ===== | ||
- | 我們使用Spring的Rest,先前為了支援X-HTTP-Method-Override,在已存在的Filter做了此功能。某天,同事發現使用apache client api操作我們的API發生了401錯誤: | ||
- | <code> | ||
- | {"code":401,"message":"Incorrect response","links":[{"rel":"more info","href":"http://192.168.1.110:8080/TestWeb/api/documents"}]} | ||
- | </code> | ||
- | 要發生這個問題有兩個條件, | ||
- | - 使用Digest認證 | ||
- | - 使用X-HTTP-Method-Override | ||
- | 因此在我有空時,就開始追蹤這問題。 | ||
- | ===== Trace ===== | ||
- | Sprint Security提供了DigestAuthentationFilter負責處理Digest認證。在使用者發出第一次請求後,Spring Security在察覺未經過驗證的情況下,會透過AuthenticationEntryPoint送出請求認證資訊。而為了在認證失敗時,能夠輸出xml或json格式的錯誤訊息(可參考上方),我們extend了DigestAuthenticationEntryPoint: | ||
- | <code java> | ||
- | public class JsonDigestAuthenticationEntryPoint extends DigestAuthenticationEntryPoint { | ||
- | private static final Log logger = LogFactory.getLog(JsonDigestAuthenticationEntryPoint.class); | ||
- | |||
- | @Autowired | ||
- | private MessageProcessor mMessageProcessor; | ||
- | |||
- | @Override | ||
- | public void commence(HttpServletRequest request, | ||
- | HttpServletResponse response, AuthenticationException authException) | ||
- | throws IOException, ServletException { | ||
- | |||
- | // ... skip | ||
- | |||
- | httpResponse.addHeader("WWW-Authenticate", authenticateHeader); | ||
- | |||
- | try { | ||
- | ErrorInfo erroInfo = ErrorResponseEntityCreator.createErrorInfo(request, HttpStatus.UNAUTHORIZED.value(), | ||
- | authException.getMessage()); | ||
- | |||
- | response.setStatus(HttpStatus.UNAUTHORIZED.value()); | ||
- | mMessageProcessor.handle(erroInfo, request, response); | ||
- | } catch (Exception e) { | ||
- | throw new ServletException(e); | ||
- | } | ||
- | } | ||
- | |||
- | } | ||
- | </code> | ||
- | 在這裡的authException,就是我們所看到的Incorrect Response。於上我就往上trace,發現DigestAuthentationFilter會透過request method去算digest值。 |