如何在没有 XML 配置的情况下定义自定义 AuthenticationEntryPoint [英] How to define a custom AuthenticationEntryPoint without XML configuration

问题描述

我已经挣扎了几天了.我是 Spring Boot 的新手，喜欢不使用 XML 配置的想法.

I've been struggling for a few days now. I'm kind of new in Spring Boot, and like the idea of not using XML configuration.

我创建了一个 RESTfull 应用程序(使用 JSON).我正在关注 本教程以正确配置身份验证.

I created a RESTfull application (with JSON). I'm following this tutorial to configure authentication properly.

我想我设法使用 Java 配置复制了几乎所有的配置，除了一件事 - AuthenticationEntryPoint

I think I managed to reproduce almost all of its configurations using Java configuration, except for one thing - AuthenticationEntryPoint

本教程使用了这样的 http 标签中的一个属性，并通过以下方式定义了一个 formLogin:

The tutorial uses a property in http tag like this and defines a formLogin in the following way:

<http entry-point-ref="restAuthenticationEntryPoint">

  <intercept-url pattern="/api/admin/**" access="ROLE_ADMIN"/>

  <form-login
     authentication-success-handler-ref="mySuccessHandler"
     authentication-failure-handler-ref="myFailureHandler"
  />

  <logout />

</http>

Spring 安全手册 说:

The AuthenticationEntryPoint explanation in the Spring Security manual says:

AuthenticationEntryPoint 可以使用

上的 entry-point-ref 属性来设置.http > 元素.

AuthenticationEntryPoint can be set using the entry-point-ref attribute on the < http > element.

没有提及如何使用 Java 配置来实现.

Doesn't mention anything about how to do it using Java Configuration.

那么如何在没有 XML 的情况下注册"我自己的 restAuthenticationEntryPoint 以防止在使用 formLogin 时重定向到登录表单?

So how can I "register" my own restAuthenticationEntryPoint without XML in order to prevent the redirection to a login form when using formLogin?

下面我会提到我尝试过的.

Below I will mention what I have tried.

谢谢大家.

在我的尝试中，发现您可以像这样使用 basicAuth 定义它:

In my attempts, found you can define it using basicAuth like this:

@Configuration
@Order(1)                                                        
public static class RestWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {


        if (restAuthenticationEntryPoint == null) {
            restAuthenticationEntryPoint = new RestAuthenticationEntryPoint();
        }

        http
            .authorizeRequests()
                .antMatchers("/**").hasAnyRole(Sec.ADMIN,Sec.SUPER_USER)
...
        .and()
            .httpBasic()
                .authenticationEntryPoint(restAuthenticationEntryPoint)

但我使用的是这样的表单登录(没有 httpBasic 部分):

But I'm using a form login like this (without the httpBasic part):

        .and()
            .formLogin()
                .successHandler(mySavedRequestAwareAuthenticationSuccessHandler)
                .failureHandler(simpleUrlAuthenticationFailureHandler)

问题是它在未收到凭据时重定向到登录表单.由于这是一项 REST 服务，因此不应该.

The problem is it redirects to a login form when it doesn't receive credentials. Since this is a REST service it shouldn't.

文档 FormLoginConfigurer(.formLogin() 使用的类)说:

创建的共享对象

填充了以下共享对象

AuthenticationEntryPoint

但找不到覆盖它的方法.
有什么想法吗?

But couldn't find a way to override it.
Any ideas?

附言
不要认为将登录表单覆盖为仅返回错误的自定义表单是个好主意.

P.S.
Don't think it would be a good idea to override the login form to a custom one that only returns the error.

推荐答案

您提供的参考文档中的引用指向 http.exceptionHandling().您可以在那里设置共享入口点.

The quote from the ref docs you provided is pointing you at http.exceptionHandling(). You can set up the shared entry point there.

http.exceptionHandling().authenticationEntryPoint(myEntryPoint);

这篇关于如何在没有 XML 配置的情况下定义自定义 AuthenticationEntryPoint的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！