No configuration /error is accessible in WebSecurityConfig, resulting in real error loss #1841
Labels
kind/bug
Category issues or prs related to bug.
Comments
No configuration /error is accessible in WebSecurityConfig, resulting in real abnormal lossSpringBoot configures the /error page by default. When tomcat finds an error, if an error page is configured, it will be forwarded to the error page, and then through the filter. The security filter finds that the /error page is not authorized, so it is always a 401 error, com .alibaba.nacos.naming.misc.HttpClient did not get the input stream in the 401 request, throwing 500, in fact, it wants to report a 400 error. Recommended setting Server access throws 400 exceptions An exception tomcat is forwarded to the /error page, intercepted by Security, throwing a 401 exception HttpClient receives the 401 status code, the input stream is null, and the parsing input stream throws a 500 exception. The exception that should have been 400 becomes a 500 exception, which makes the troubleshooting problem difficult. Giant pit! ! ! |
nacos-bot
changed the title
brucelwl
changed the title
Merged
xuechaos
added a commit
that referenced
this issue
Sep 30, 2019
xingguangsixian
added a commit
to xingguangsixian/nacos
that referenced
this issue
Dec 7, 2019
* fix: closes alibaba#1569 * fix bug * build main * alibaba#1529 distro 使用本地时间记录心跳 * Fix alibaba#1591 * Add unit tests for common.GroupKey and utils.MD5 Fully-qualified classname com.alibaba.nacos.client.config.common.GroupKey com.alibaba.nacos.client.config.utils.MD5 These tests were written using Diffblue Cover. * Fix alibaba#1591 * feat: support change password * upgrade the fastjson version * Fix namespace vulnerability * 修复alibaba#1583 * no message * 编译 main.* * no message * fix build * fix FE * 后端支持 * npm build * fix CI * 没有过滤条件直接返回原始Service列表 * add refresh memory * remove unness const * no message * clear code * build console * revert error code * Remove unnecessary code * Delete the code that caused the list multi-element * fix bug * Unified constant use * reverse `Service Name` and `Group Name` * Fix bug * Update version to 1.1.2-SNAPSHOT * fix: font privatization * Subject to the actual startup context path * if not set the context path with the WebServerInitializedEvent then real '/' is context path * RunningConfig support get from spring.properties configuration file * Update version to 1.1.2 * Update version to 1.1.3 * Add unit tests for com.alibaba.nacos.config.server.utils.GroupKey These tests were written using Diffblue Cover * Use dynamic server version * 1. Optimize log printing 2. Improve the robustness and readability of your code * support datum is null case * repair httpGetLarge#httpGetLarge will call entity.getContentType().getElements() the contentType is NPE * Normalize http response entity with ResponseEntity by spring * feat: * cluster conf support multi instance inline seperator with ',' * add comma division with some case to use * add comma division with some case to use * add comma division with some case to use * resolve conflict * fix: fix alibaba#1733 * 页面修复 * use API to create param * use API to create param * [ISSUE] alibaba#1671 Unified request header "Client-Version" * [ISSUE] alibaba#1671 Unified request header "Client-Version" * 🐛 remove server.contextPath * Update service description error in Open API Guide * fix: fix alibaba#1665 * fix alibaba#1764. * Compatible with older versions * [Issue] alibaba#1769 Solve the bug of the clone configuration function * Fix alibaba#1764 * [Issue] alibaba#1769 Solve the bug of the clone configuration function * [Issue] alibaba#1769 Solve the bug of the clone configuration function * fix: closes alibaba#1759 * fixed(cluster): fixed raft cluster state * chore(cluster): delete no used note * alibaba#1507 close server from current dir * repair speel error and add debug log * Fix alibaba#1621 * fix alibaba#1609 * fix alibaba#1609 * Make error information more specifically * feature(triggerFlag): add triggerFlag for service * feture(triggerFlag): add frontend show triggerFlag * style: Modifiers should be declared in the correct order;Map init 设置大小 避免扩容; * style: Modifiers should be declared in the correct order;Map init 设置大小 避免扩容; * refactor: 局部变量是线程安全的; urlPattern改成static final; GroupKey重构 * improve(triggerFlag): add pre check for triggerFlag * refactor: IO改成try resource。instanceList循环直接改成addAll * chore(triggerFlag): adjust some details * improve(instanceHealth): add update logic * feat: * Avoiding conflicted for creating directory. * improve(triggerFlag): adjust triggerFlag calculation chance * clean controllers code * chore(reiggerFlag): delete unused function * merge * improve(triggerFlag): improve instance health flag * Add synchronized when add/remove instance * Update jackson version, see https://nvd.nist.gov/vuln/detail/CVE-2019-16335 * Fix alibaba#1874 * alibaba#1873, set default server expire timeout to 10 seconds and configurable. * fix bug alibaba#1775 fix bug alibaba#1775 * build fe * Clean up redundant StringUtils * bug fix 1841 bug fix alibaba#1841 * fix alibaba#1916 * Bump netty-all from 4.0.42.Final to 4.1.42.Final Bumps [netty-all](https://github.com/netty/netty) from 4.0.42.Final to 4.1.42.Final. - [Release notes](https://github.com/netty/netty/releases) - [Commits](netty/netty@netty-4.0.42.Final...netty-4.1.42.Final) Signed-off-by: dependabot[bot] <support@github.com> * alibaba#1409 Introduce MCP server * alibaba#1409 gRPC server tuned OK. * alibaba#1409 Update from Nacos * alibaba#1409 Fix PMD * Fix alibaba#1906 * fix the getting subscribers error * Support unique instance index for each registered server Signed-off-by: dizhe <vettal.wd@alibaba-inc.com> * 创建字符串不需要带入双引号,否则调用时会报Error:Unable access jarfile * Support snowflake instance id generator Signed-off-by: Vettal Wu <vettal.wd@alibaba-inc.com> * Fix test case error. * clean code * fix the CI errors * remove the useless code that make ci errors * Fix findbugs * Add switch to turn on/off MCP server * Update version to 1.1.4 * issues:调用修改实例接口,未传的参数值会被清空 alibaba#1957 * Change MCP service port to 8848 * Fix add metadata method NPE. * Fix PMD * fix alibaba#1947 * alibaba#1947 add test cases. * issues:调用修改实例接口,未传的参数值会被清空 alibaba#1957 * issues:调用修改实例接口,未传的参数值会被清空 alibaba#1957 * [alibaba#2006] change to throw NacosException to make client handle the right Exception case * make RequestVote RPC handler thread-safe * Modify the string splicing method of getgroupedname() * Remove debug option in startup script * fix alibaba#2000 * alibaba#2018 Close inpuststream instead of connection. * fix alibaba#1842 * fix alibaba#1858 * Fix client beat task executing when health check is disabled. * refactor(client/config): increase the client's read timeout In order to prevent the server from handling the delay of the client's long task, increase the client's read timeout to avoid this problem. * refactor(client/config): update timeout compute * fix startup for java 11 * remvoe classpath * Bump jackson-databind from 2.9.10 to 2.9.10.1 Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.9.10 to 2.9.10.1. - [Release notes](https://github.com/FasterXML/jackson/releases) - [Commits](https://github.com/FasterXML/jackson/commits) Signed-off-by: dependabot[bot] <support@github.com> * add toUpperCase * optimize: the Boolean.parseBoolean(String s) method should be used when converting a String to a Boolean type * fix 2025 * fix default value of database field * add client context path config * 修复 alibaba#2098 * add nacos console cors * format code * Update version to 1.2.0-SNAPSHOT * Fix close connection exception. * Fix alibaba#2123 * Fix alibaba#2020 * Fix alibaba#2123
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SpringBoot 默认配置了 /error 页面, tomcat 发现错误的时候, 如果配置了错误页面,就会转发到错误页面, 然后又经过过滤器, 安全过滤器发现 /error页面没有授权, 所以一直是 401 错误, com.alibaba.nacos.naming.misc.HttpClient 在401请求中又没有拿到输入流, 抛出500, 其实它想汇报的是 400的错误。
建议设置
com.alibaba.nacos.console.config.WebSecurityConfig中设置 /error 可访问或者不要使用
resp.sendError(400,"error message")换成
resp.setStatus(400);resp.getWriter().write("error message");服务器访问自己抛出400异常
com.alibaba.nacos.naming.web.DistroFilter
出现异常tomcat转发到/error页面,被Security拦截,抛出401异常
com.alibaba.nacos.console.config.WebSecurityConfig
HttpClient收到401状态码,输入流是null,解析输入流抛出500异常,本应该是400的异常却变成了500异常,导致排查问题困难。巨坑!!!
com.alibaba.nacos.naming.misc.HttpClient
The text was updated successfully, but these errors were encountered: