Spring Boot 2 使用 401 而不是 403 [英] 401 instead of 403 with Spring Boot 2
问题描述
使用 Spring Boot 1.5.6.RELEASE能够发送 HTTP 状态代码 401 而不是 403,如 如果在没有身份验证的情况下请求uri,如何让spring安全响应未经授权(http 401代码),这样做:
With Spring Boot 1.5.6.RELEASE I was able to send HTTP Status code 401 instead of 403 as described in How let spring security response unauthorized(http 401 code) if requesting uri without authentication, by doing this:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//...
http.exceptionHandling()
.authenticationEntryPoint(new Http401AuthenticationEntryPoint("myHeader"));
//...
}
}
使用 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类.
我刚刚升级到Spring启动 2.0.0.RELEASE 发现不再有这样的类了(至少在那个包中).
I just upgraded to Spring Boot 2.0.0.RELEASE and found there is not such class any more (at least in that package).
问题:
这个类(
Http401AuthenticationEntryPoint)在 Spring Boot 中还存在吗?
Does this class (
Http401AuthenticationEntryPoint) exist yet in Spring Boot?
如果不是,在现有项目中保持相同行为以保持与依赖此状态代码(401)而不是其他实现的一致性的好方法是什么?403?
If no, what could be a good alternative for keeping the same behavior in an existing project in order to keep consistency with other implementations which depend on this status code (401) instead of 403?
推荐答案
注意
默认 当 spring-boot-starter-security 添加为时,Spring Boot 2 将返回 401执行依赖项和未经授权的请求.
Heads up
By default Spring Boot 2 will return 401 when spring-boot-starter-security is added as a dependency and an unauthorized request is performed.
如果您放置一些自定义配置来修改安全机制行为,这可能会改变.如果是这种情况,并且您确实需要强制使用 401 状态,请阅读下面的原始帖子.
This may change if you place some custom configurations to modify the security mechanism behavior. If that's the case and you truly need to force the 401 status, then read the below original post.
类 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 被移除,取而代之的是 org.springframework.security.web.authentication.HttpStatusEntryPoint.
The class org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint was removed in favor of org.springframework.security.web.authentication.HttpStatusEntryPoint.
就我而言,代码将如下所示:
In my case the code would go like this:
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//...
http.exceptionHandling()
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
//...
}
}
奖金
如果您需要在响应正文中返回一些信息或以某种方式自定义响应,您可以执行以下操作:
If you need to return some information in the response body or customize the response somehow you can do something like this:
1- 扩展 AuthenticationEntryPoint
public class MyEntryPoint implements AuthenticationEntryPoint {
private final HttpStatus httpStatus;
private final Object responseBody;
public MyEntryPoint(HttpStatus httpStatus, Object responseBody) {
Assert.notNull(httpStatus, "httpStatus cannot be null");
Assert.notNull(responseBody, "responseBody cannot be null");
this.httpStatus = httpStatus;
this.responseBody = responseBody;
}
@Override
public final void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
response.setStatus(httpStatus.value());
try (PrintWriter writer = response.getWriter()) {
writer.print(new ObjectMapper().writeValueAsString(responseBody));
}
}
}
2- 为安全配置提供一个 MyEntryPoint 实例
2- Provide an instance of MyEntryPoint to the security configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// customize your response body as needed
Map<String, String> responseBody = new HashMap<>();
responseBody.put("error", "unauthorized");
//...
http.exceptionHandling()
.authenticationEntryPoint(new MyEntryPoint(HttpStatus.UNAUTHORIZED, responseBody));
//...
}
}
这篇关于Spring Boot 2 使用 401 而不是 403的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
