大佬教程收集整理的这篇文章主要介绍了如何在Spring Security 3.1中处理不同的身份验证异常?,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
首先,我想评论一下,我已经检查了Stack Overflow中的其他问题,并根据答案实现了我自己的方法:https://stackoverflow.com/a/14425801/2487263和https://stackoverflow.com/a/16101649/2487263
我试图在Spring 3.2,Spring MVC应用程序中使用Spring安全3.1来保护REST API,我使用简单配置的基本身份验证方法:
@H_404_7@<http create-session="stateless" entry-point-ref="authenticationFailedEntryPoint">
如您所见,我使用自定义入口点,我有自己的ErrorResponse对象,我将以json格式添加到http响应,请参阅下面的代码:
@H_404_7@ 我尝试了两种测试用例的方法: >尝试使用一个服务而不提供基本身份验证标头: 这是请求/响应:
@H_404_7@ 2.-尝试使用相同的服务,但现在使用错误的密码发送基本身份验证标头: 这是请求/响应:
@H_404_7@ 正如您在第一种情况下所看到的那样,达到了入口点,并且在正确处理异常的情况下执行了begin方法,并返回了json响应.但是,当密码错误时,情况就不会发生. 在日志中我发现两个案例都产生了不同的流程: 对于案例1(没有auth标头):
@H_404_7@ 对于案例2(密码错误):
@H_404_7@ 第一种情况抛出一个AccessDeniedException,它被捕获并发送到我的入口点的begin方法,但抛出BadCredentialsException的第二种情况不会进入入口点. 这里奇怪的是,begin方法应该接收一个AuthenticationException,但是AccessDeniedException不是AuthenticationException而是BadCredentialsException,请参阅Spring security 3.1 api文档中的继承树:
@H_404_7@ 为什么使用不正确类型的异常调用begin方法,以及为什么在具有正确类型的BadCredentialsException时不调用? 编辑—实现@Luke的答案 所描述的两个解决方案使用问题中显示的自定义AuthenticationEntryPoint,需要选择以下两个选项之一来修改配置:
@H_404_7@ >或者将入口点添加到http-basic元素,IMO是最干净的解决方案:
@H_404_7@ @Component
public class AuthenticationFailedEntryPoint implements AuthenticationEntryPoint {
static Logger log = Logger.getLogger(AuthenticationFailedEntryPoint.class);
@Override
public void commence(httpServletrequest request,httpServletResponse response,AuthenticationException authException) throws IOException,ServletException {
log.error(ExceptionUtils.getStackTrace(authException));
ErrorResponse errorResponse = new ErrorResponse();
... here I fill my errorResponse object ...
ObjectMapper jsonMapper = new ObjectMapper();
response.setContentType("application/json;charset=UTF-8");
response.setStatus(status);
PrintWriter out = response.getWriter();
out.print(jsonMapper.writeValueAsString(errorResponsE));
}
}
@H_607_10@
GET http://localhost:8081/accounts/accounts?accountnumber=1013
-- response --
401 Unauthorized
Server: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 320
Date: Fri,25 Oct 2013 17:11:15 GMT
Proxy-Connection: Keep-alive
{"status":401,"@R_197_8798@ges":[{"code":"000011","@R_197_8798@ge":"You are not authorized to reach this endpoint"}]}
@H_607_10@
GET http://localhost:8081/accounts/accounts?accountnumber=1013
Authorization: Basic bXl1c2VyOmdvb2RieWU=
-- response --
401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="Spring Security Application"
Content-Type: text/html;charset=utf-8
Content-Length: 1053
Date: Fri,25 Oct 2013 17:03:09 GMT
Proxy-Connection: Keep-alive
@H_607_10@
...
2013-10-25 13:11:15,830 DEBUG tomcat-http--13 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /accounts?accountnumber=1013; Attributes: [ROLE_USER]
2013-10-25 13:11:15,830 DEBUG tomcat-http--13 org.springframework.security.web.access.intercept.FilterSecurityInterceptor - PrevIoUsly Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpaddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONymOUS
2013-10-25 13:11:15,830 DEBUG tomcat-http--13 org.springframework.security.access.Vote.AffirmativeBased - Voter: org.springframework.security.access.Vote.RoleVoter@11da1f99,returned: -1
2013-10-25 13:11:15,831 DEBUG tomcat-http--13 org.springframework.security.access.Vote.AffirmativeBased - Voter: org.springframework.security.access.Vote.AuthenticatedVoter@7507ef7,returned: 0
2013-10-25 13:11:15,831 DEBUG tomcat-http--13 org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecTing to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
...
@H_607_10@
...
2013-10-25 13:03:08,941 DEBUG tomcat-http--11 org.springframework.security.web.authentication.www.basicAuthenticationFilter - Basic Authentication Authorization header found for user 'myuser'
2013-10-25 13:03:08,941 DEBUG tomcat-http--11 org.springframework.security.authentication.ProvideRMANager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2013-10-25 13:03:09,544 DEBUG tomcat-http--11 org.springframework.security.authentication.dao.DaoAuthenticationProvider - Authentication Failed: password does not match stored value
2013-10-25 13:03:09,545 DEBUG tomcat-http--11 org.springframework.security.web.authentication.www.basicAuthenticationFilter - Authentication request for Failed: org.springframework.security.authentication.badCredentialsException: Bad credentials
2013-10-25 13:00:30,136 DEBUG tomcat-http--9 org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder Now cleared,as request processing completed
...
@H_607_10@
java.lang.object
extended by java.lang.Throwable
extended by java.lang.Exception
extended by java.lang.RuntimeException
extended by org.springframework.security.access.AccessDeniedException
java.lang.object
extended by java.lang.Throwable
extended by java.lang.Exception
extended by java.lang.RuntimeException
extended by org.springframework.security.core.AuthenticationException
extended by org.springframework.security.authentication.badCredentialsException
@H_607_10@
<http create-session="stateless" entry-point-ref="authentication@H_944_60@FailedEntryPoint">
<http create-session="stateless" entry-point-ref="authentication@H_944_60@FailedEntryPoint">
您还需要设置entry-point-ref
attribute on the http-basic
元素来解决此问题.
或者,您可以将基本身份验证筛选器定义为bean,并完全避免使用命名空间.
以上是大佬教程为你收集整理的如何在Spring Security 3.1中处理不同的身份验证异常?全部内容,希望文章能够帮你解决如何在Spring Security 3.1中处理不同的身份验证异常?所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。