- iOS/Objective-C 元类和类别
- objective-c - -1001 错误,当 NSURLSession 通过 httpproxy 和/etc/hosts
- java - 使用网络类获取 url 地址
- ios - 推送通知中不播放声音
这个问题其实和这个issue有关problem .
根据@harsh-poddar 的建议,我相应地添加了过滤器。
但是,添加后似乎即使使用有效凭据我也无法登录。
相关代码如下:
安全配置
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// @Bean
// public CustomAuthenticationEntryPoint customAuthenticationEntryPoint() {
// return new CustomAuthenticationEntryPoint();
// }
@Bean
public CustomExceptionTranslationFilter customExceptionTranslationFilter() {
return new CustomExceptionTranslationFilter(new CustomAuthenticationEntryPoint());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//Note : Able to login without this filter, but after adding this, valid credential also fails
.addFilterAfter(customExceptionTranslationFilter(), ExceptionTranslationFilter.class)
// .exceptionHandling()
// .authenticationEntryPoint(new customAuthenticationEntryPoint())
// .and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.httpBasic()
.and()
.csrf().disable();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(new CustomAuthenticationProvider());
}
}
CustomAuthenticationProvider
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
public CustomAuthenticationProvider() {
super();
}
@Override
public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
final String name = authentication.getName();
final String password = authentication.getCredentials().toString();
if (name.equals("admin") && password.equals("password")) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
final UserDetails principal = new User(name, password, grantedAuths);
final Authentication auth = new UsernamePasswordAuthenticationToken(principal, password, grantedAuths);
return auth;
} else {
throw new BadCredentialsException("NOT_AUTHORIZED");
}
}
@Override
public boolean supports(final Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
CustomExceptionTranslationFilter
@Component
public class CustomExceptionTranslationFilter extends ExceptionTranslationFilter {
public CustomExceptionTranslationFilter(AuthenticationEntryPoint authenticationEntryPoint) {
super(authenticationEntryPoint);
}
}
CustomAuthenticationEntryPoint
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized.");
}
}
p/s : sorry for the basic question, I'm really new in spring & spring security.
最佳答案
AuthenticationEntryPoint
的预期设计是启动/启动身份验证。但是,您的实现 CustomAuthenticationEntryPoint
不会执行此操作。相反,它只是发回未经授权的响应。请参阅 AuthenticationEntryPoint 的 javadoc有关实现细节的更多详细信息。
根据您的配置,您使用 HTTP Basic 进行身份验证:
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic();
}
此特定配置将自动配置 BasicAuthenticationEntryPoint
,它是 AuthenticationEntryPoint
的实现。根据 server protocol,BasicAuthenticationEntryPoint
将使用 WWW-Authenticate: Basic realm="User Realm"
的 http 响应 header 质询用户以进行身份验证。 .
但是,如果您正在配置自己的 CustomAuthenticationEntryPoint
,它最终会覆盖 BasicAuthenticationEntryPoint
,这不是您想要的。
other post推荐此配置,这又不是您想要的。
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.httpBasic()
.and()
.exceptionHandling().authenticationEntryPoint(new CustomAuthenticationEntryPoint());
}
如果您的主要目标是在身份验证失败时向用户提供自定义响应,那么我会建议使用配置了 AuthenticationFailureHandler
的表单登录配置。这是配置:
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin().failureHandler(new DefaultAuthenticationFailureHandler())
.and()
.csrf().disable(); // NOTE: I would recommend enabling CSRF
DefaultAuthenticationFailureHandler
的实现将是:
public class DefaultAuthenticationFailureHandler implements AuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
// Set status only OR do whatever you want to the response
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
}
}
AuthenticationFailureHandler专门设计用于处理失败的身份验证尝试。
关于java - Spring 安全 - 自定义 ExceptionTranslationFilter,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37129611/
这个问题其实和这个issue有关problem . 根据@harsh-poddar 的建议,我相应地添加了过滤器。 但是,添加后似乎即使使用有效凭据我也无法登录。 相关代码如下: 安全配置 @Enab
我有一个由 spring security 保护的 spring MVC RESTful 应用程序。客户端是 Angular JS。 但是我的登录和注销页面是普通的 jsp,我做基于表单的登录和注销。
我是一名优秀的程序员,十分优秀!