Java SpringBoot,默认身份验证失败处理程序是如何工作的
就是这样,我开发了一个简单的spring引导安全应用程序,使用内存中的DB。在成功的身份验证时,它会重定向到另一个站点,我的问题出现在身份验证失败时,因为它会显示一个空白屏幕 我已经建立了一个单一的spring安全应用程序,并实现了AuthenticationFailureHandler和AuthenticationSuccessHandler。当我不使用自定义AuthenticationFailureHandler时,我确实会在屏幕上收到一条错误的凭据消息Java SpringBoot,默认身份验证失败处理程序是如何工作的,java,spring-boot,spring-mvc,handler,Java,Spring Boot,Spring Mvc,Handler,就是这样,我开发了一个简单的spring引导安全应用程序,使用内存中的DB。在成功的身份验证时,它会重定向到另一个站点,我的问题出现在身份验证失败时,因为它会显示一个空白屏幕 我已经建立了一个单一的spring安全应用程序,并实现了AuthenticationFailureHandler和AuthenticationSuccessHandler。当我不使用自定义AuthenticationFailureHandler时,我确实会在屏幕上收到一条错误的凭据消息 import org.springf
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import com.tech.app.security.handler.CsegAuthenticationFailureHandler;
import com.tech.app.security.handler.CsegAuthenticationSuccessHandler;
@SuppressWarnings("deprecation")
@Configuration
@EnableWebSecurity
public class CsegSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private CsegAuthenticationSuccessHandler successHandler;
@Autowired
private CsegAuthenticationFailureHandler failureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated().and()
.formLogin()
.successHandler(successHandler)
.failureHandler(failureHandler);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication().passwordEncoder(NoOpPasswordEncoder.getInstance()).withUser("user").password("password").roles("USER");
}
}
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;
import com.fasterxml.jackson.databind.ObjectMapper;
@Component
public class CsegAuthenticationFailureHandler implements AuthenticationFailureHandler{
private ObjectMapper objectMapper = new ObjectMapper();
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
System.out.println("credenciales invalidas");
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> data = new HashMap<>();
data.put("timestamp", Calendar.getInstance().getTime());
data.put("exception", exception.getMessage());
response.getOutputStream()
.println(objectMapper.writeValueAsString(data));
redirectStrategy.sendRedirect(request, response, "/login?error=true");
}
}
import org.springframework.beans.factory.annotation.Autowired;
导入org.springframework.context.annotation.Configuration;
导入org.springframework.http.HttpMethod;
导入org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
导入org.springframework.security.config.annotation.web.builders.HttpSecurity;
导入org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
导入org.springframework.security.config.annotation.web.configuration.websecurityConfigureAdapter;
导入org.springframework.security.crypto.password.NoOpPasswordEncoder;
导入com.tech.app.security.handler.CsegAuthenticationFailureHandler;
导入com.tech.app.security.handler.CsegAuthenticationSuccessHandler;
@抑制警告(“弃用”)
@配置
@启用Web安全性
公共类CsegSecurityConfig扩展了WebSecurity配置适配器{
@自动连线
私有CsegAuthenticationSuccessHandler成功处理程序;
@自动连线
私有CsegAuthenticationFailureHandler failureHandler;
@凌驾
受保护的无效配置(HttpSecurity http)引发异常{
http
.authorizeRequests().antMatchers(HttpMethod.POST,“/login”).permitAll()
.anyRequest().authenticated()和()
.formLogin()
.successHandler(successHandler)
.故障处理程序(故障处理程序);
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder auth)引发异常{
认证
.inMemoryAuthentication().passwordEncoder(NoOpPasswordEncoder.getInstance()).withUser(“用户”).password(“密码”).roles(“用户”);
}
}
导入java.io.IOException;
导入javax.servlet.ServletException;
导入javax.servlet.http.HttpServletRequest;
导入javax.servlet.http.HttpServletResponse;
导入org.springframework.security.core.AuthenticationException;
导入org.springframework.security.web.DefaultRedirectStrategy;
导入org.springframework.security.web.strategy;
导入org.springframework.security.web.authentication.AuthenticationFailureHandler;
导入org.springframework.stereotype.Component;
导入com.fasterxml.jackson.databind.ObjectMapper;
@组成部分
公共类CsegAuthenticationFailureHandler实现AuthenticationFailureHandler{
私有ObjectMapper ObjectMapper=新ObjectMapper();
private RedirectStrategy RedirectStrategy=新的DefaultRedirectStrategy();
@凌驾
验证失败(HttpServletRequest请求、HttpServletResponse响应、,
AuthenticationException(异常)引发IOException、ServletException{
系统输出打印号(“残疾军人证”);
response.setStatus(HttpStatus.UNAUTHORIZED.value());
映射数据=新的HashMap();
data.put(“timestamp”,Calendar.getInstance().getTime());
data.put(“exception”,exception.getMessage());
response.getOutputStream()
.println(objectMapper.writeValueAsString(数据));
redirectStrategy.sendRedirect(请求、响应,“/login?error=true”);
}
}
我想要的是,在身份验证失败时,在DB中保存一条记录,并返回到spring生成的默认登录页面,屏幕上显示相应的坏凭证消息。我还想知道默认的AuthenticationFailureHandler在哪里,以及它是如何工作的。我得到的只是一个空白屏幕
通过将适当的
位置
标题设置为响应来进行重定向。有了youtput流,您必须首先按照特定的顺序编写协议、头、响应体
如果开始写入正文,则无法写入标题(除非正在缓冲输出)。所以要么写正文,要么重定向。删除它,然后立即重定向。
response.getOutputStream().println(objectMapper.writeValueAsString(data))
删除对象数据
及其所有逻辑,只保留发送重定向
,它重定向回登录页面,但没有提示错误消息不同的情况是,为了重定向,必须先写标题,如果开始写正文(直接到输出流),则无法完成此操作