When Nginx performs authentication, it does not check the application-level status codes.

Apr 29, 2024#异常 #JavaWeb #Nginx370

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

When using the auth_request directive in nginx for authentication, it only checks the HTTP response status code and not the body. Application-level status codes are encapsulated in the response body using Result objects, while non-application-level HTTP status codes are sent separately using ResponseEntity objects. Even if a Result object contains a "403" status code, the request is still considered successful by nginx's auth_request directive.

When we use the auth_request directive of nginx for authentication, it does not check the status code of the HTTP response body, it only cares about the status code of the HTTP response

Application-level status codes: Status codes encapsulated in Result objects are included in the body of the HTTP response when responding

import app.xlog.ggbond.utils.Result;

@GetMapping("/verify")
public Result<String> verify(String token) {
    logger.atInfo().log("token: {}", token);
    if (token.equals("success")) {
        logger.atInfo().log("Request successful");
        return Result.buildResult(Result.Status.OK, "success");
    } else {
        return Result.buildResult(Result.Status.BAD_REQUEST);
    }
}

Non-application-level HTTP status codes: Using ResponseEntity objects, where the HTTP status code is part of the HTTP response and is sent separately, before any HTTP response body

import org.springframework.http.ResponseEntity;

@GetMapping("/verify")
public ResponseEntity<String> verify(String token) {
    logger.atInfo().log("token: {}", token);
    if (token.equals("success")) {
        logger.atInfo().log("Request successful");
        return ResponseEntity.ok("success");
    } else {
        return ResponseEntity.status(403).body("forbidden");
    }
}

Even if the returned Result object contains a "403" status code, the request was actually successful, so the Nginx auth_request directive will still consider the verification successful