gpt4 book ai didi

spring-security - 带有 Java 配置的 Spring Security : How to handle BadCredentialsException from a custom provider

转载 作者:行者123 更新时间:2023-12-04 06:52:40 24 4
gpt4 key购买 nike

我需要在 url 中使用 token id 来验证一些 rest 服务(或者可能在请求 header 中 - 但现在这并不重要)。我正在尝试使用 java 配置来设置此 post 作为指南.我的问题是我不知道如何处理提供者身份验证失败时抛出的“BadCredentialsException”。这是我的安全配置:

public static class SecurityConfigForRS extends
WebSecurityConfigurerAdapter {

@Autowired
TokenAuthenticationProvider tokenAuthenticationProvider;

@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider);
}

@Bean
@Override
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}

@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);

http.regexMatcher("^/rest.*")
.addFilterBefore(
new TokenAuthenticationFilter(
authenticationManagerBean()),
AbstractPreAuthenticatedProcessingFilter.class)
.and().csrf().disable();

}
}

现在我跳过其他实现 - 如果它有帮助我稍后会发布它们。

当 token 丢失或无效时,TokenAuthernticationProvider 抛出 BadCredentialsException。我需要捕获它并发回 401-Unauthorized。可以这样做吗?

最佳答案

我创建的第一个过滤器是 GenericFilterBean 的子类,它不支持身份验证失败处理程序或成功处理程序。但是,AbstractAuthenticationProcessingFilter 支持成功和失败处理程序。我的过滤器就这么简单:

public class TokenAuthenticationProcessingFilter extends
AbstractAuthenticationProcessingFilter {

public TokenAuthenticationProcessingFilter(
RequestMatcher requiresAuthenticationRequestMatcher) {
super(requiresAuthenticationRequestMatcher);
}

@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
Authentication auth = new TokenAuthentication("-1");
try {
Map<String, String[]> params = request.getParameterMap();
if (!params.isEmpty() && params.containsKey("auth_token")) {
String token = params.get("auth_token")[0];
if (token != null) {
auth = new TokenAuthentication(token);
}
}
return this.getAuthenticationManager().authenticate(auth);
} catch (AuthenticationException ae) {
unsuccessfulAuthentication(request, response, ae);
}
return auth;
}}

我的 http 安全性是:

    public static class SecurityConfigForRS extends
WebSecurityConfigurerAdapter {

@Autowired
TokenAuthenticationProvider tokenAuthenticationProvider;

@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider);
}

@Bean
@Override
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}

@Bean
protected AbstractAuthenticationProcessingFilter getTokenAuthFilter()
throws Exception {
TokenAuthenticationProcessingFilter tapf = new TokenAuthenticationProcessingFilter(
new RegexRequestMatcher("^/rest.*", null));
tapf.setAuthenticationManager(authenticationManagerBean());
return tapf;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);

http.regexMatcher("^/rest.*")
.addFilterAfter(getTokenAuthFilter(),
BasicAuthenticationFilter.class).csrf().disable();

}
}

过滤器链顺序确实很重要!我把它放在 BasicAuthenticationFilter 之后,它工作正常。当然,可能有更好的解决方案,但目前这可行!

关于spring-security - 带有 Java 配置的 Spring Security : How to handle BadCredentialsException from a custom provider,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21779967/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com