java – API网关自定义授权程序:控制错误消息和代码
作者:互联网
我的Gateway API有自定义授权器.我已经阅读了许多关于如何在验证或授权错误时自定义错误消息和返回给最终用户的代码的文章. This one seemed the most useful.
问题是API网关的行为与记录不符.
我的自定义授权器实现(python):
def lambda_handler(event, context):
raise Exception('the sky is falling!')
当我使用curl调用API时:
kash@Laptop$date; curl -i -X GET -H "Authorization: Bearer 1234abcd`date +%s`" https://xxxx.execute-api.us-west-2.amazonaws.com/prod/ticket
Mon Jun 4 12:27:51 CDT 2018
HTTP/1.1 500 Internal Server Error
Date: Mon, 04 Jun 2018 17:27:53 GMT
Content-Type: application/json
Content-Length: 16
Connection: keep-alive
x-amzn-RequestId: 9cc6d7ce-681c-xxxx-8a4a-23a7616ba4a5
x-amzn-ErrorType: AuthorizerConfigurationException
x-amz-apigw-id: xxxx=
{"message":null}
kash@Laptop$
如何让它返回带有{“message”的HTTP 4xx:“天空正在下降!”}?
为了调试:我在我的API下进入了网关响应并更新了“主机映射模板”中的“授权器配置错误(500)”:
{"message":$context.error.messageString}
对此:
{
"errorMessage":"$errorMessage",
"messageString":"$messageString",
"context.errorMessage":"$context.errorMessage",
"context.messageString":"$context.messageString",
"context.error.errorMessage":"$context.error.errorMessage",
"context.error.messageString":"$context.error.messageString",
"context.authorizer.error.errorMessage":"$context.authorizer.error.errorMessage"
"context.authorizer.error.errorMessage":"$context.authorizer.error.errorMessage"
"context.authorizer.errorMessage":"$context.authorizer.errorMessage"
"context.authorizer.messageString":"$context.authorizer.messageString"
"type": "$context.error.responseType",
"statusCode": "'404'",
"stage": "$context.stage",
"resourcePath": "$context.resourcePath",
"stageVariables.a": "$stageVariables.a",
"context.apiId": "$context.apiId",
"context.authorizer.claims.property": "$context.authorizer.claims.property",
"context.authorizer.principalId": "$context.authorizer.principalId",
"context.authorizer.property": "$context.authorizer.property",
"context.httpMethod": "$context.httpMethod",
"context.error.message": "$context.error.message",
"context.error.messageString": "$context.error.messageString",
"context.error.responseType": "$context.error.responseType",
"context.extendedRequestId": "$context.extendedRequestId",
"context.identity.accountId": "$context.identity.accountId",
"context.identity.apiKey": "$context.identity.apiKey",
"context.identity.apiKeyId": "$context.identity.apiKeyId",
"context.identity.caller": "$context.identity.caller",
"context.identity.cognitoAuthenticationProvider": "$context.identity.cognitoAuthenticationProvider",
"context.identity.cognitoAuthenticationType": "$context.identity.cognitoAuthenticationType",
"context.identity.cognitoIdentityId": "$context.identity.cognitoIdentityId",
"context.identity.cognitoIdentityPoolId": "$context.identity.cognitoIdentityPoolId",
"context.identity.sourceIp": "$context.identity.sourceIp",
"context.identity.user": "$context.identity.user",
"context.identity.userAgent": "$context.identity.userAgent",
"context.identity.userArn": "$context.identity.userArn",
"context.integrationLatency": "$context.integrationLatency",
"context.path": "$context.path",
"context.protocol": "$context.protocol",
"context.requestId": "$context.requestId",
"context.requestTime": "$context.requestTime",
"context.requestTimeEpoch": "$context.requestTimeEpoch",
"context.resourceId": "$context.resourceId",
"context.resourcePath": "$context.resourcePath",
"context.responseLength": "$context.responseLength",
"context.responseLatency": "$context.responseLatency",
"context.status": "$context.status",
"context.stage": "$context.stage"
}
并且响应是:
{
"errorMessage":"",
"messageString":"",
"context.errorMessage":"",
"context.messageString":"",
"context.error.errorMessage":"",
"context.error.messageString":"null",
"context.authorizer.error.errorMessage":""
"context.authorizer.error.errorMessage":""
"context.authorizer.errorMessage":""
"context.authorizer.messageString":""
"type": "AUTHORIZER_CONFIGURATION_ERROR",
"statusCode": "'404'",
"stage": "prod",
"resourcePath": "/ticket",
"stageVariables.a": "",
"context.apiId": "xxxx",
"context.authorizer.claims.property": "",
"context.authorizer.principalId": "",
"context.authorizer.property": "",
"context.httpMethod": "GET",
"context.error.message": "",
"context.error.messageString": "null",
"context.error.responseType": "AUTHORIZER_CONFIGURATION_ERROR",
"context.extendedRequestId": "xxxx=",
"context.identity.accountId": "",
"context.identity.apiKey": "",
"context.identity.apiKeyId": "",
"context.identity.caller": "",
"context.identity.cognitoAuthenticationProvider": "",
"context.identity.cognitoAuthenticationType": "",
"context.identity.cognitoIdentityId": "",
"context.identity.cognitoIdentityPoolId": "",
"context.identity.sourceIp": "xxx.244.xxx.2",
"context.identity.user": "",
"context.identity.userAgent": "curl/7.47.0",
"context.identity.userArn": "",
"context.integrationLatency": "",
"context.path": "/prod/ticket",
"context.protocol": "HTTP/1.1",
"context.requestId": "57e2462d-681c-xxxx-7dd93186dc68",
"context.requestTime": "04/Jun/2018:17:25:57 +0000",
"context.requestTimeEpoch": "1528133157762",
"context.resourceId": "pz9fb8",
"context.resourcePath": "/ticket",
"context.responseLength": "",
"context.responseLatency": "",
"context.status": "",
"context.stage": "prod"
}
我读了:
> Is there a way to change the http status codes returned by Amazon API Gateway?
> How to throw custom error message from API Gateway custom authorizer
> custom authorizers in Amazon API Gateway 500 error
> Is it possible to customize API Gateway custom authorizer response message and status code on unauthorized?
还有一些在AWS论坛上.
解决方法:
万一它可以帮助某人:
CA =自定义授权程序
>错误代码:AWS不完全允许CA实现指示发送回调用方的错误代码.
>如果CA返回的Auth策略没有在其中一个带有操作Allow的语句中调用的资源/方法,则用户将获得403,其中包含“未授权访问资源”的内容
>如果CA返回一个Auth策略,该策略具有包含已调用的资源/方法的操作Deny的语句,则用户将获得403,其中包含“使用拒绝显式拒绝访问”之类的内容
>如果CA提出的异常消息“未授权”,则用户获得401消息“未授权”.
>如果CA使用任何其他消息引发异常,则用户将收到HTTP-500内部服务器错误(授权者配置错误),并且拒绝/未授权呼叫.
>错误消息:只允许通过网关响应中的正文映射模板进行静态控制.
>例如您可以更新“网关响应”中“未授权[401]”的正文映射模板,说“我的服务因某种未知原因不喜欢您”,然后每当CA抛出“未授权”异常时,最终用户获取HTTP 401 “我的服务因为一些不明原因而不喜欢你”.
>同样,您也可以更新“拒绝访问[403]”或“授权程序配置错误[500]”.但该消息是静态的,无法通过CA实现进行控制.
>不可能有不同的401消息,如:
> 401:由于令牌过期而未经授权.
> 401:由于缺少范围而未经授权.
其他无关的事情:因为CA在某些条件下抛出异常来传递auth失败,从度量的角度来看,这会增加Lambda ErrorCount度量.因此,该指标对于识别“应用程序错误”是不可靠的.
标签:java,amazon-web-services,authentication,http,aws-api-gateway 来源: https://codeday.me/bug/20190910/1798741.html