本文主要是介绍12 nacos 一系列 403 的构造,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
前言
最近 生产环境环境出现了 一系列的 nacos 403, 然后 这里来大致看一下 各种可能得情况
首先 nacos 服务器需要开启认证配置
这里 nacos 调试版本为 2.0.4
case1 用户无角色关联导致 403
报错的信息如下
2023-06-28 13:05:11.448 ERROR 10279 --- [ main] c.a.c.n.registry.NacosServiceRegistry : nacos registry, smart-city-ay-cache-service register failed...NacosRegistration{nacosDiscoveryProperties=NacosDiscoveryProperties{serverAddr='10.60.50.16:8849', endpoint='', namespace='whaleXLocalVisitBNet', watchDelay=30000, logName='', service='smart-city-ay-cache-service', weight=1.0, clusterName='DEFAULT', group='DEFAULT_GROUP', namingLoadCacheAtStart='false', metadata={preserved.register.source=SPRING_CLOUD}, registerEnabled=true, ip='192.168.220.140', networkInterface='', port=18080, secure=false, accessKey='', secretKey='', heartBeatInterval=null, heartBeatTimeout=null, ipDeleteTimeout=null, failFast=true}},com.alibaba.nacos.api.exception.NacosException: failed to req API:/nacos/v1/ns/instance after all servers([10.60.50.16:8849]) tried: ErrCode:403, ErrMsg:<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Thu Jun 29 09:55:20 CST 2023</div><div>There was an unexpected error (type=Forbidden, status=403).</div><div>authorization failed!</div></body></html>at com.alibaba.nacos.client.naming.net.NamingProxy.reqApi(NamingProxy.java:556) ~[nacos-client-1.4.2.jar!/:na]at com.alibaba.nacos.client.naming.net.NamingProxy.reqApi(NamingProxy.java:498) ~[nacos-client-1.4.2.jar!/:na]at com.alibaba.nacos.client.naming.net.NamingProxy.reqApi(NamingProxy.java:493) ~[nacos-client-1.4.2.jar!/:na]at com.alibaba.nacos.client.naming.net.NamingProxy.registerService(NamingProxy.java:246) ~[nacos-client-1.4.2.jar!/:na]at com.alibaba.nacos.client.naming.NacosNamingService.registerInstance(NacosNamingService.java:212) ~[nacos-client-1.4.2.jar!/:na]at com.alibaba.cloud.nacos.registry.NacosServiceRegistry.register(NacosServiceRegistry.java:74) ~[spring-cloud-starter-alibaba-nacos-discovery-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at org.springframework.cloud.client.serviceregistry.AbstractAutoServiceRegistration.register(AbstractAutoServiceRegistration.java:239) [spring-cloud-commons-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at com.alibaba.cloud.nacos.registry.NacosAutoServiceRegistration.register(NacosAutoServiceRegistration.java:78) [spring-cloud-starter-alibaba-nacos-discovery-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at org.springframework.cloud.client.serviceregistry.AbstractAutoServiceRegistration.start(AbstractAutoServiceRegistration.java:138) [spring-cloud-commons-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at org.springframework.cloud.client.serviceregistry.AbstractAutoServiceRegistration.bind(AbstractAutoServiceRegistration.java:101) [spring-cloud-commons-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at org.springframework.cloud.client.serviceregistry.AbstractAutoServiceRegistration.onApplicationEvent(AbstractAutoServiceRegistration.java:88) [spring-cloud-commons-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at org.springframework.cloud.client.serviceregistry.AbstractAutoServiceRegistration.onApplicationEvent(AbstractAutoServiceRegistration.java:47) [spring-cloud-commons-2.2.6.RELEASE.jar!/:2.2.6.RELEASE]at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:404) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:361) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:46) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:53) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:360) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:158) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:122) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:895) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:554) [spring-context-5.2.8.RELEASE.jar!/:5.2.8.RELEASE]at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.3.2.RELEASE.jar!/:2.3.2.RELEASE]at com. ServiceApplication.main(SmartCityAyCacheServiceApplication.java:16) [classes!/:na]at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_291]at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_291]at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_291]at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_291]at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [smart-city-ay-cache-service.jar:na]at org.springframework.boot.loader.Launcher.launch(Launcher.java:109) [smart-city-ay-cache-service.jar:na]at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [smart-city-ay-cache-service.jar:na]at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [smart-city-ay-cache-service.jar:na]
权限的控制方式如下, 根据 用户名去 roles 中去查询 角色列表
然后再根据 角色来控制权限, 如果是 ROLE_ADMIN, 直接通过认证
如果是 “console/xx” 直接不过认证
否则通过 permissions 表查询角色对应的权限, 来判断是否有访问给定的资源的权限
比如我们这里的情况, 有 admin 这个用户
但是没有配置 admin 关联的角色, 因此 这里直接 return false
case2 用户不存在导致 403
客户端传入的 用户名, 密码 不正确, 输出给客户端的是 “unknown user!”
日志信息如下
com.alibaba.nacos.api.exception.NacosException: <html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Thu Jun 29 10:31:24 CST 2023</div><div>There was an unexpected error (type=Forbidden, status=403).</div><div>unknown user!</div></body></html>at com.alibaba.nacos.client.config.impl.ClientWorker.getServerConfig(ClientWorker.java:239) ~[nacos-client-1.4.2.jar:na]at com.alibaba.nacos.client.config.NacosConfigService.getConfigInner(NacosConfigService.java:160) ~[nacos-client-1.4.2.jar:na]at com.alibaba.nacos.client.config.NacosConfigService.getConfig(NacosConfigService.java:100) ~[nacos-client-1.4.2.jar:na]at com.alibaba.cloud.nacos.client.NacosPropertySourceBuilder.loadNacosData(NacosPropertySourceBuilder.java:85) [spring-cloud-starter-alibaba-nacos-config-2.2.6.RELEASE.jar:2.2.6.RELEASE]at com.alibaba.cloud.nacos.client.NacosPropertySourceBuilder.build(NacosPropertySourceBuilder.java:73) [spring-cloud-starter-alibaba-nacos-config-2.2.6.RELEASE.jar:2.2.6.RELEASE]at com.alibaba.cloud.nacos.client.NacosPropertySourceLocator.loadNacosPropertySource(NacosPropertySourceLocator.java:199) [spring-cloud-starter-alibaba-nacos-config-2.2.6.RELEASE.jar:2.2.6.RELEASE]at com.alibaba.cloud.nacos.client.NacosPropertySourceLocator.loadNacosDataIfPresent(NacosPropertySourceLocator.java:186) [spring-cloud-starter-alibaba-nacos-config-2.2.6.RELEASE.jar:2.2.6.RELEASE]at com.alibaba.cloud.nacos.client.NacosPropertySourceLocator.loadApplicationConfiguration(NacosPropertySourceLocator.java:144) [spring-cloud-starter-alibaba-nacos-config-2.2.6.RELEASE.jar:2.2.6.RELEASE]at com.alibaba.cloud.nacos.client.NacosPropertySourceLocator.locate(NacosPropertySourceLocator.java:103) [spring-cloud-starter-alibaba-nacos-config-2.2.6.RELEASE.jar:2.2.6.RELEASE]at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:52) [spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47) [spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:98) [spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626) [spring-boot-2.3.2.RELEASE.jar:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370) [spring-boot-2.3.2.RELEASE.jar:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.run(SpringApplication.java:314) [spring-boot-2.3.2.RELEASE.jar:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) [spring-boot-2.3.2.RELEASE.jar:2.3.2.RELEASE]at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.3.2.RELEASE.jar:2.3.2.RELEASE]
生产环境的 403
不同的服务器版本 差距还是有些大
比如上面图片中 nacos 版本是 2.0.4
如果传递 用户名, 密码, 或者 错误, 在 2.0.4 版本中走的是 ”unknown user”
然后 生产环境 中报告的错误是 “user not found”, 然后 这个在 nacos-2.0.4版本 中条件极为苛刻, 甚至于 基本上构造不出来
然后 这个也困扰了 我很久,. 然后 看了一下 nacos-2.2.4版本 的代码, 豁然开朗
当然 也浪费了 不少的时间
比如上面图片中 nacos 版本是 2.2.4
如果传递 用户名, 密码, 或者 错误, 在 2.0.4 版本中走的是 ”user not found”
完
这篇关于12 nacos 一系列 403 的构造的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!