spring-security-02

标签：02 14 no spring greeting Content security Type name

HTTP 请求响应结构

1. HTTP 请求

除了 RequestBody，其他都是纯文本的格式

请求

GET http://localhost:8080/api/greeting HTTP/1.1

响应

HTTP/1.1 401 
Set-Cookie: JSESSIONID=26F4450A72B86B8A90E2A851B38CE19E; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 14 Mar 2023 14:01:14 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{
  "timestamp": "2023-03-14T14:01:14.582+00:00",
  "status": 401,
  "error": "Unauthorized",
  "message": "",
  "path": "/api/greeting"
}

但是使用浏览器访问结果却不太一样

Basic 访问
加上认证头，那上面的 WWW-Authenticate: Basic realm="Realm" 说明什么？

GET http://localhost:8080/api/greeting HTTP/1.1
Authorization: Basic user 5185806c-7ddc-4198-bcc2-ad5e92c995ad

工具对密码自动做了 Base64 编码

响应

HTTP/1.1 200 
Set-Cookie: JSESSIONID=F1C936440785F4BA25A52AFFE197286C; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;charset=UTF-8
Content-Length: 8
Date: Tue, 14 Mar 2023 14:11:09 GMT
Keep-Alive: timeout=60
Connection: keep-alive

greeting

Response code: 200; Time: 244ms (244 ms); Content length: 8 bytes (8 B)

POST 请求

@PostMapping("/greeting")
public String makeGreeting(@RequestParam String name) {
    return "greeting: " + name;
}

GET http://localhost:8080/api/greeting HTTP/1.1
Authorization: Basic user 865a02ec-b787-4ed7-b91c-a8945ae36b6e

###
POST http://localhost:8080/api/greeting?name=yyy HTTP/1.1
Authorization: Basic user 865a02ec-b787-4ed7-b91c-a8945ae36b6e

###

http://localhost:8080/api/greeting?name=yyy

HTTP/1.1 403 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 14 Mar 2023 14:20:31 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{
  "timestamp": "2023-03-14T14:20:31.460+00:00",
  "status": 403,
  "error": "Forbidden",
  "message": "",
  "path": "/api/greeting"
}

报了403，说明认证通过了，但是存在权限问题，查看日志
疑问：这个工具会自动重定向吗，下面这是转发的还是重定向的，因为无效的 Invalid CSRF token，导致被 重定向/转发 到 /error，从而导致 403 ？还是因为什么原因 403 ？

2023-03-14 22:20:31.451 DEBUG 10080 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /api/greeting?name=yyy at position 4 of 15 in additional filter chain; firing Filter: 'CsrfFilter'
2023-03-14 22:20:31.451 DEBUG 10080 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/api/greeting?name=yyy
2023-03-14 22:20:31.452 DEBUG 10080 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@242a0f05
2023-03-14 22:20:31.452 DEBUG 10080 --- [nio-8080-exec-2] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2023-03-14 22:20:31.454 DEBUG 10080 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : /error?name=yyy at position 1 of 15 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'

重新配置

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
                .httpBasic(Customizer.withDefaults())
                .formLogin(Customizer.withDefaults());
    }
}

POST http://localhost:8080/api/greeting?name=yyy HTTP/1.1
Authorization: Basic user cbfe7690-430a-4649-b70a-a7088726339c

http://localhost:8080/api/greeting?name=yyy

HTTP/1.1 200 
Set-Cookie: JSESSIONID=D3A7B320B5AB611FC919F570DCA55C9A; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;charset=UTF-8
Content-Length: 13
Date: Tue, 14 Mar 2023 14:26:59 GMT
Keep-Alive: timeout=60
Connection: keep-alive

greeting: yyy

Response code: 200; Time: 243ms (243 ms); Content length: 13 bytes (13 B)

@PutMapping("/greeting/{name}")
public String putGreeting(@PathVariable String name) {
    return "greeting: " + name;
}

PUT http://localhost:8080/api/greeting/yyy HTTP/1.1
Authorization: Basic user d08c3859-a7ad-40dc-bacf-8da37f876133

请求体

@PostMapping("/greeting")
public String makeGreeting(@RequestParam String name, @RequestBody User user) {
    return "greeting: " + user.toString();
}

POST http://localhost:8080/api/greeting?name=yyy HTTP/1.1
Authorization: Basic user fbedd26a-cbfc-49ed-8c58-40217d31520d
Content-Type
![image](uploading...)
```txt
http://localhost:8080/api/greeting?name=yyy

HTTP/1.1 415 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 14 Mar 2023 14:37:37 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{
  "timestamp": "2023-03-14T14:37:37.327+00:00",
  "status": 415,
  "error": "Unsupported Media Type",
  "message": "",
  "path": "/api/greeting"
}
Response file saved.
> 2023-03-14T223737.415.json

Response code: 415; Time: 34ms (34 ms); Content length: 127 bytes (127 B)

Cookies are preserved between requests:
> C:\Users\chen\Desktop\workspace\learn\security\.idea\httpRequests\http-client.cookies

```: application/json

{
  "name": "yyy",
  "age": 18
}

http://localhost:8080/api/greeting?name=yyy

HTTP/1.1 200 
Set-Cookie: JSESSIONID=EC8E0ECC447DED4937B6897F6B9C338E; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/plain;charset=UTF-8
Content-Length: 34
Date: Tue, 14 Mar 2023 14:35:59 GMT
Keep-Alive: timeout=60
Connection: keep-alive

greeting: User{name='yyy', age=18}

Response code: 200; Time: 275ms (275 ms); Content length: 34 bytes (34 B)

不加 Content-Type 即请求数据格式，即前面图的 Entity Header，描述请求实体的，415

http://localhost:8080/api/greeting?name=yyy

HTTP/1.1 415 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 14 Mar 2023 14:37:37 GMT
Keep-Alive: timeout=60
Connection: keep-alive

{
  "timestamp": "2023-03-14T14:37:37.327+00:00",
  "status": 415,
  "error": "Unsupported Media Type",
  "message": "",
  "path": "/api/greeting"
}

Response code: 415; Time: 34ms (34 ms); Content length: 127 bytes (127 B)

2. HTTP 响应

标签：02,14,no,spring,greeting,Content,security,Type,name
From： https://www.cnblogs.com/chenxingyang/p/17216752.html