问题描述
在Ratpack(1.5.x)应用程序的上下文中测试Pac4j(2.x)身份验证时,我发现使用此处理程序时会发现:
When testing Pac4j (2.x) authentication in the context of a Ratpack (1.5.x) app, I find that when I use this handler:
all RatpackPac4j.requireAuth(HeaderClient)
...未经授权的请求会被正确拒绝,状态为401,并且 RFC-7235 指出应该添加WWW-Authenticate
标头,但不是.
...Unauthorised requests get rejected correctly with a 401 status, and RFC-7235 states that a WWW-Authenticate
header should be added, and it is not.
我在RatpackPac4j跟踪器此处上提出了一个问题,但这是由于(我推断)无法修复"而关闭,因为Pac4j v3正确实现了这一点.而且RatpackPac4j尚未升级为可与Pac4j v3一起使用.
I raised an issue on the RatpackPac4j tracker here, but it was closed as (I infer) "won't fix" since Pac4j v3 implements this properly. And RatpackPac4j has not been upgraded to work with Pac4j v3 yet.
因此:是否可以插入一些东西来对所有响应进行后处理,例如根据响应有条件地添加标题?
So: is it possible to insert something which post-process all responses to, for example, conditionally add a header based on the response?
此外-我在gradle配置中使用了以下版本:
Aside - I'm using the following versions in my gradle config:
compile group: 'io.ratpack', name: 'ratpack-groovy', version: '1.5.4'
compile group: 'org.slf4j', name: 'slf4j-simple', version: '1.7.25'
// compile ratpack.dependency('pac4j') // Don't use this, because we need the org.pac4j version
compile group: 'org.pac4j', name: 'ratpack-pac4j', version: '2.0.0'
compile group: 'org.pac4j', name: 'pac4j-core', version: '2.2.1'
compile group: 'org.pac4j', name: 'pac4j-jwt', version: '2.2.1'
compile group: 'org.pac4j', name: 'pac4j-http', version: '2.2.1'
推荐答案
感谢Ratpack Slack频道中的John Engelman,这是一种变通方法:使用Response#beforeSend
Thanks to John Engelman in the Ratpack Slack channel, here is a work-around: use Response#beforeSend
handlers {
all {
response.beforeSend { response ->
if (response.status.code == 401) {
response.headers.set('WWW-Authenticate', 'bearer realm="authenticated api"')
}
}
}
}
请注意,必须在可能会产生401响应的其他任何处理程序之前插入此处理程序,否则触发它们时将不会绑定回调.
Note that this handler must be inserted before any others which may generate a 401 response or the callback will not be bound when they are triggered.
这篇关于有没有办法解决RatpackPac4j#requireAuth而不设置WWW-Authenticate标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!