When we use the auth_request directive of nginx for authentication, it does not check the status code of the HTTP response body, it only cares about the status code of the HTTP response
- Application-level status codes: Status codes encapsulated in Result objects are included in the body of the HTTP response when responding
import app.xlog.ggbond.utils.Result;
@GetMapping("/verify")
public Result<String> verify(String token) {
logger.atInfo().log("token: {}", token);
if (token.equals("success")) {
logger.atInfo().log("Request successful");
return Result.buildResult(Result.Status.OK, "success");
} else {
return Result.buildResult(Result.Status.BAD_REQUEST);
}
}
- Non-application-level HTTP status codes: Using ResponseEntity objects, where the HTTP status code is part of the HTTP response and is sent separately, before any HTTP response body
import org.springframework.http.ResponseEntity;
@GetMapping("/verify")
public ResponseEntity<String> verify(String token) {
logger.atInfo().log("token: {}", token);
if (token.equals("success")) {
logger.atInfo().log("Request successful");
return ResponseEntity.ok("success");
} else {
return ResponseEntity.status(403).body("forbidden");
}
}
Even if the returned Result object contains a "403" status code, the request was actually successful, so the Nginx auth_request directive will still consider the verification successful