Java Spring security-自定义例外TranslationFilter
这个问题实际上与这个问题有关 根据@harsh poddar的建议,我相应地添加了过滤器 然而,在添加后,似乎我无法登录,即使使用有效的凭证 以下是相关代码: 证券配置 CustomAuthenticationProvider CustomAuthenticationEntryPoint p/s:很抱歉问这个基本问题,我对spring&spring security非常陌生Java Spring security-自定义例外TranslationFilter,java,spring,spring-mvc,spring-security,Java,Spring,Spring Mvc,Spring Security,这个问题实际上与这个问题有关 根据@harsh poddar的建议,我相应地添加了过滤器 然而,在添加后,似乎我无法登录,即使使用有效的凭证 以下是相关代码: 证券配置 CustomAuthenticationProvider CustomAuthenticationEntryPoint p/s:很抱歉问这个基本问题,我对spring&spring security非常陌生 AuthenticationEntryPoint的预期设计是启动/启动身份验证。但是,您的实现CustomAuthenti
AuthenticationEntryPoint
的预期设计是启动/启动身份验证。但是,您的实现CustomAuthenticationEntryPoint
并没有做到这一点。相反,它只是发回一个未经授权的响应。有关实现细节的更多详细信息,请参见javadoc
根据您的配置,您正在使用HTTP Basic进行身份验证:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
此特定配置将自动配置基本身份验证入口点
,它是身份验证入口点
的实现。BasicAuthenticationEntryPoint
将使用WWW-Authenticate:Basic realm=“user realm”
的http响应头质询用户进行身份验证,如所示
但是,您正在配置自己的CustomAuthenticationEntryPoint
这一事实最终将覆盖BasicAuthenticationEntryPoint
,这不是您想要做的
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint());
}
推荐的配置也不是您想要的
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint());
}
如果您的主要目标是在身份验证失败时向用户提供自定义响应,那么我建议使用已配置的AuthenticationFailureHandler
进行表单登录配置。以下是配置:
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().failureHandler(new DefaultAuthenticationFailureHandler())
.and()
.csrf().disable(); // NOTE: I would recommend enabling CSRF
DefaultAuthenticationFailureHandler
的实现将是:
public class DefaultAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// Set status only OR do whatever you want to the response
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
}
}
专门设计用于处理失败的身份验证尝试。请参阅previos问题@D0dger中的我的答案:谢谢您给出的答案。但同样的错误依然存在。使用有效凭据登录也会触发“AuthExceptionEntryPoint”。有任何提示我可以在哪里检查以调试此问题吗?打开
org.springframework.security
包的日志记录并将其附加到问题(当有效凭据不起作用时)谢谢您的建议。我试过了,发现每个请求都被重定向(302)到“/登录”。关于您的信息,这是一个通过@RestController进行通信的web服务。
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint());
}
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().failureHandler(new DefaultAuthenticationFailureHandler())
.and()
.csrf().disable(); // NOTE: I would recommend enabling CSRF
public class DefaultAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// Set status only OR do whatever you want to the response
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
}
}