具有Java配置的Spring Security:如何处理来自自定义提供程序的BadCredentialsException [英] Spring Security with Java Configuration: How to handle BadCredentialsException from a custom provider

问题描述

我需要使用url中的令牌ID(或可能是请求标头中的令牌ID)对一些其他服务进行身份验证，但这暂时不重要.我正在尝试使用Java配置来设置此设置，并以此 post 作为指导.我的问题是我不知道如何处理从提供者身份验证失败时引发的"BadCredentialsException".这是我的安全配置:

I need to authenticate some rest services using a token id in the url (or maybe in the request header - but this is not important for now). I am trying to use java configuration to set this up using as a guide this post. My problem is that I do not know how to handle "BadCredentialsException" that is thrown when the authentication fails from the provider. Here is my Security Config:

public static class SecurityConfigForRS extends
        WebSecurityConfigurerAdapter {

    @Autowired
    TokenAuthenticationProvider tokenAuthenticationProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.authenticationProvider(tokenAuthenticationProvider);
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean()
            throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http.regexMatcher("^/rest.*")
                .addFilterBefore(
                        new TokenAuthenticationFilter(
                                authenticationManagerBean()),
                        AbstractPreAuthenticatedProcessingFilter.class)
                .and().csrf().disable();

    }
}

现在，我跳过其他实现-如果有帮助，我将在以后发布它们.

For now I skip the other implementations - if it helps I will post them later.

当令牌丢失或无效时，TokenAuthernticationProvider会引发BadCredentialsException.我需要抓住这一点并发回401-Unauthorized.可以这样做吗?

When the token is missing or is invalid, the TokenAuthernticationProvider throws a BadCredentialsException. I need to catch this and send back an 401-Unauthorized. Is it possible to do this?

推荐答案

我创建的第一个过滤器是 GenericFilterBean 的子类，它不支持身份验证失败处理程序或成功处理程序.但是 AbstractAuthenticationProcessingFilter 支持成功和失败处理程序.我的过滤器就是这么简单:

The first Filter I created was a subclass of GenericFilterBean and it did not have support for authentication failure handler or success handler. However AbstractAuthenticationProcessingFilter supports success and failure handlers. My filter is as simple as that:

public class TokenAuthenticationProcessingFilter extends
    AbstractAuthenticationProcessingFilter {

public TokenAuthenticationProcessingFilter(
        RequestMatcher requiresAuthenticationRequestMatcher) {
    super(requiresAuthenticationRequestMatcher);
}

@Override
public Authentication attemptAuthentication(HttpServletRequest request,
        HttpServletResponse response) throws AuthenticationException,
        IOException, ServletException {
    Authentication auth = new TokenAuthentication("-1");
    try {
        Map<String, String[]> params = request.getParameterMap();
        if (!params.isEmpty() && params.containsKey("auth_token")) {
            String token = params.get("auth_token")[0];
            if (token != null) {
                auth = new TokenAuthentication(token);
            }
        }
        return this.getAuthenticationManager().authenticate(auth);
    } catch (AuthenticationException ae) {
        unsuccessfulAuthentication(request, response, ae);
    }
    return auth;
}}

我的http安全性是:

and my http security is:

    public static class SecurityConfigForRS extends
        WebSecurityConfigurerAdapter {

    @Autowired
    TokenAuthenticationProvider tokenAuthenticationProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.authenticationProvider(tokenAuthenticationProvider);
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean()
            throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    protected AbstractAuthenticationProcessingFilter getTokenAuthFilter()
            throws Exception {
        TokenAuthenticationProcessingFilter tapf = new TokenAuthenticationProcessingFilter(
                new RegexRequestMatcher("^/rest.*", null));
        tapf.setAuthenticationManager(authenticationManagerBean());
        return tapf;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http.regexMatcher("^/rest.*")
                .addFilterAfter(getTokenAuthFilter(),
                        BasicAuthenticationFilter.class).csrf().disable();

    }
}

过滤链顺序 很重要！我将其放在BasicAuthenticationFilter之后，它可以正常工作.当然，可能会有更好的解决方案，但是目前可以使用！

The filter chain order does matter! I placed it after BasicAuthenticationFilter and it works fine. Of course there might be a better solution but for now this works!

这篇关于具有Java配置的Spring Security:如何处理来自自定义提供程序的BadCredentialsException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！