具有Java配置的Spring Security:如何处理来自自定义提供程序的BadCredentialsException [英] Spring Security with Java Configuration: How to handle BadCredentialsException from a custom provider
问题描述
我需要使用url中的令牌ID(或可能是请求标头中的令牌ID)对一些其他服务进行身份验证,但这暂时不重要.我正在尝试使用Java配置来设置此设置,并以此 post 作为指导.我的问题是我不知道如何处理从提供者身份验证失败时引发的"BadCredentialsException".这是我的安全配置:
I need to authenticate some rest services using a token id in the url (or maybe in the request header - but this is not important for now). I am trying to use java configuration to set this up using as a guide this post. My problem is that I do not know how to handle "BadCredentialsException" that is thrown when the authentication fails from the provider. Here is my Security Config:
public static class SecurityConfigForRS extends
WebSecurityConfigurerAdapter {
@Autowired
TokenAuthenticationProvider tokenAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.regexMatcher("^/rest.*")
.addFilterBefore(
new TokenAuthenticationFilter(
authenticationManagerBean()),
AbstractPreAuthenticatedProcessingFilter.class)
.and().csrf().disable();
}
}
现在,我跳过其他实现-如果有帮助,我将在以后发布它们.
For now I skip the other implementations - if it helps I will post them later.
当令牌丢失或无效时,TokenAuthernticationProvider
会引发BadCredentialsException
.我需要抓住这一点并发回401-Unauthorized
.可以这样做吗?
When the token is missing or is invalid, the TokenAuthernticationProvider
throws a BadCredentialsException
. I need to catch this and send back an 401-Unauthorized
. Is it possible to do this?
推荐答案
我创建的第一个过滤器是 GenericFilterBean 的子类,它不支持身份验证失败处理程序或成功处理程序.但是 AbstractAuthenticationProcessingFilter 支持成功和失败处理程序.我的过滤器就是这么简单:
The first Filter I created was a subclass of GenericFilterBean and it did not have support for authentication failure handler or success handler. However AbstractAuthenticationProcessingFilter supports success and failure handlers. My filter is as simple as that:
public class TokenAuthenticationProcessingFilter extends
AbstractAuthenticationProcessingFilter {
public TokenAuthenticationProcessingFilter(
RequestMatcher requiresAuthenticationRequestMatcher) {
super(requiresAuthenticationRequestMatcher);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
Authentication auth = new TokenAuthentication("-1");
try {
Map<String, String[]> params = request.getParameterMap();
if (!params.isEmpty() && params.containsKey("auth_token")) {
String token = params.get("auth_token")[0];
if (token != null) {
auth = new TokenAuthentication(token);
}
}
return this.getAuthenticationManager().authenticate(auth);
} catch (AuthenticationException ae) {
unsuccessfulAuthentication(request, response, ae);
}
return auth;
}}
我的http安全性是:
and my http security is:
public static class SecurityConfigForRS extends
WebSecurityConfigurerAdapter {
@Autowired
TokenAuthenticationProvider tokenAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
@Bean
protected AbstractAuthenticationProcessingFilter getTokenAuthFilter()
throws Exception {
TokenAuthenticationProcessingFilter tapf = new TokenAuthenticationProcessingFilter(
new RegexRequestMatcher("^/rest.*", null));
tapf.setAuthenticationManager(authenticationManagerBean());
return tapf;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.regexMatcher("^/rest.*")
.addFilterAfter(getTokenAuthFilter(),
BasicAuthenticationFilter.class).csrf().disable();
}
}
过滤链顺序 很重要!我将其放在BasicAuthenticationFilter之后,它可以正常工作.当然,可能会有更好的解决方案,但是目前可以使用!
The filter chain order does matter! I placed it after BasicAuthenticationFilter and it works fine. Of course there might be a better solution but for now this works!
这篇关于具有Java配置的Spring Security:如何处理来自自定义提供程序的BadCredentialsException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!