当spring security收到空凭据(用户名和密码)时,如何创建自定义响应?
我正在使用邮递员向我的服务器发送一个没有值的用户名和密码;这就像当spring security收到空凭据(用户名和密码)时,如何创建自定义响应?,spring,security,spring-security,basic-authentication,postman,Spring,Security,Spring Security,Basic Authentication,Postman,我正在使用邮递员向我的服务器发送一个没有值的用户名和密码;这就像username=null和password=null 为了控制服务器的安全性,我使用SpringSecurity3.2。当收到这些凭证时,spring安全性将响应此错误 Estado HTTP 500 - Fields must not be empty java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor
username=nullpassword=nullEstado HTTP 500 - Fields must not be empty
java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor
org.springframework.security.core.userdetails.User.<init>(User.java:99)
org.springframework.security.core.userdetails.User.<init>(User.java:69)
com.equifax.product.fraud.applicationprocessing.web.rest.interceptors.security.SecurityAuthenticationProvider.retrieveUser(SecurityAuthenticationProvider.java:59)
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:132)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
Estado HTTP 500-字段不能为空
java.lang.IllegalArgumentException:无法将null或空值传递给构造函数
org.springframework.security.core.userdetails.User.(User.java:99)
org.springframework.security.core.userdetails.User.(User.java:69)
com.equifax.product.fraud.applicationprocessing.web.rest.interceptors.security.SecurityAuthenticationProvider.retrieveUser(SecurityAuthenticationProvider.java:59)
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:132)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:168)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
<security:http create-session="never" use-expressions="true"
auto-config="false">
<security:intercept-url pattern="/application/**"
access="isFullyAuthenticated()" />
<security:anonymous />
<security:http-basic entry-point-ref="securityAccessDeniedEntryPoint" />
<security:access-denied-handler ref="securityAccessDeniedHandler" />
</security:http>
<security:authentication-manager alias="authenticationManager"
erase-credentials="false">
<security:authentication-provider
ref="genericSecurityAuthenticationProvider" />
</security:authentication-manager>
我正在使用Spring 3.2,您可以做的是定义一个AuthenticationFailureHandler bean,在实现这个bean之后,您可以在AuthenticationFailure()方法中执行您想要的操作 XML配置:
<beans:bean id="myFailureHandler" class="my.custom.impl.MyCustomAuthenticationFailureHandler"/>
<security:http ....>
<security:form-login authentication-failure-handler-ref="myFailureHandler" />
</security:http>
Obs.:如果您想做的事情不适用于此解决方案,您可以实现一个使用spring security的标准异常,如果您已经有一个异常处理程序将消息转换为Json响应,它将自行处理
catch (Exception exception)
{
throw new AuthenticationCredentialsNotFoundException("Fields must not be empty", exception);
}
您正在传递基本身份验证字符串“:”(在base64解码之后),因此,正如您所说的,这将导致用户名密码为空。
BasicAuthenticationFilterSecurityAuthenticationProviderUserAuthenticationProvider中的空值,并抛出Authenticationexception
您还需要覆盖基本身份验证过滤器
中的onunsuccessful身份验证
函数,以写入所需的错误响应。您必须将其配置为,而不是使用
元素。在使用spring security之前,我从未这样做过,但我认为本文描述了您需要的一切:一个一般性问题,您在这个项目中使用Jersey库吗?第二个问题,您使用的是哪个Spring版本?@ThomasWeglinski我使用的是Spring 3.2,我没有使用Jersey.apperEstado HTTP 500-请求处理失败;嵌套异常为com.example.product.fraud.basic.configuration.framework.exceptions.ConfigurationNotFoundException:未找到用户配置。
您可以做的另一件事是创建异常处理程序此处的配置错误-需要在特定筛选器上设置故障处理程序。但是,基本身份验证不支持身份验证失败处理程序,因此在本例中它不是一个选项。不,这在这里没有帮助。拒绝访问处理程序仅适用于经过身份验证的用户。为此,需要使用特定消息创建入口点处理程序
和拒绝访问处理程序