大佬教程收集整理的这篇文章主要介绍了在Spring Boot Resource Server中处理安全异常,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
如前面的注释中所述,该请求在到达MVC层之前被安全框架拒绝,因此@ControllerAdvice
这里不是一个选择。
Spring Security框架中有3个接口可能是您感兴趣的:
您可以为每个接口创建实现,以自定义针对各种事件发送的响应:成功登录,登录失败,尝试使用权限不足访问受保护的资源。
以下将在登录尝试失败时返回JsON响应:
@Component
public class RestAuthenticationFailureHandler implements AuthenticationFailureHandler
{
@OverrIDe
public voID onAuthenticationFailure(httpServletrequest request, httpServletResponse response,
AuthenticationException eX) throws IOException, servletexception
{
response.setStatus(httpStatus.FORBIDDEN.value());
Map<String, Object> data = new HashMap<>();
data.put("timestamp", new Date());
data.put("status",httpStatus.FORBIDDEN.value());
data.put("message", "Access DenIEd");
data.put("path", request.getrequestuRL().toString());
OutputStream out = response.getoutputStream();
com.fasterxml.jackson.databind.objectMapper mapper = new ObjectMapper();
mapper.writeValue(out, data);
out.flush();
}
}
您还需要向安全框架注册您的实现。在Java配置中,如下所示:
@Configuration
@EnableWebSecurity
@ComponentScan("...")
public class SecurityConfiguration extends WebSecurityConfigurerAdapter
{
@OverrIDe
public voID configure(httpSecurity http) throws Exception
{
http.addFilterBefore(corsFilter(), ChAnnelProcessingFilter.class).logout().deletecookies("jeSSIONID")
.logoutUrl("/API/logout").logoutsuccessHandler(logoutsuccessHandler()).and().formLogin().loginPage("/login")
.loginProcessingUrl("/API/login").failureHandler(authenticationFailureHandler())
.successHandler(authenticationsuccessHandler()).and().csrf().disable().exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint()).accessDenIEdHandler(accessDenIEdHandler());
}
/**
* @return Custom {@link AuthenticationFailureHandler} to send suitable response to REST clIEnts in the event of a
* Failed authentication attempt.
*/
@Bean
public AuthenticationFailureHandler authenticationFailureHandler()
{
return new RestAuthenticationFailureHandler();
}
/**
* @return Custom {@link AuthenticationsuccessHandler} to send suitable response to REST clIEnts in the event of a
* successful authentication attempt.
*/
@Bean
public AuthenticationsuccessHandler authenticationsuccessHandler()
{
return new RestAuthenticationsuccessHandler();
}
/**
* @return Custom {@link AccessDenIEdHandler} to send suitable response to REST clIEnts in the event of an attempt to
* access resources to which the user has insufficIEnt privileges.
*/
@Bean
public AccessDenIEdHandler accessDenIEdHandler()
{
return new RestAccessDenIEdHandler();
}
}
如何在纯资源服务器上获取自定义ResponseEntityExceptionHandler
或OAuth2ExceptionRenderer
处理Spring安全性引发的异常?
我们实施了
@ControllerAdvice
@RestController
public class GlobalExceptionHandler extends ResponseEntityExceptionHandler {
因此,只要资源服务器上出现错误,我们都希望它回答
{
"message": "...","type": "...","status": 400
}
资源服务器使用application.properties设置:
security.oauth2.resource.userInfoUri: http://localhost:9999/auth/user
对我们的身份验证服务器进行身份验证和授权请求。
但是,任何spring安全错误将始终绕过我们的异常处理程序
@ExceptionHandler(InvalidTokenException.class)
public ResponseEntity<Map<String,Object>> handleInvalidTokenException(InvalidTokenException E) {
return createErrorResponseAndLog(e,401);
}
并产生
{
"timestamp": "2016-12-14T10:40:34.122Z","status": 403,"error": "Forbidden","message": "Access Denied","path": "/api/templates/585004226f793042a094d3a9/scheR_845_11845@a"
}
要么
{
"error": "invalid_token","error_description": "5d7e4ab5-4a88-4571-b4a4-042bce0a076b"
}
那么,如何为资源服务器配置安全异常处理?我所发现的都是有关如何通过实现custom来定制Auth
Server的示例OAuth2ExceptionRenderer
。但是我找不到将其连接到资源服务器安全链的位置。
我们唯一的配置/设置是这样的:
@SpringBootApplication
@Configuration
@ComponentScan(basePackages = {"our.packages"})
@EnableAutoConfiguration
@EnableresourceServer
以上是大佬教程为你收集整理的在Spring Boot Resource Server中处理安全异常全部内容,希望文章能够帮你解决在Spring Boot Resource Server中处理安全异常所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。