[英]spring boot, how does default authentication failure handler work
This is the thing, I have developed a simple spring boot security app using a in memory DB. 这就是事实,我使用内存数据库开发了一个简单的spring boot security应用程序。 On successfull authentication it redirects to another site, my problem comes on authentication failure because it shows me a blank screen.
身份验证成功后,它将重定向到另一个站点,我的问题来自身份验证失败,因为它向我显示了一个空白屏幕。
I have set up a single spring security app and implemented an AuthenticationFailureHandler and an AuthenticationSuccessHandler. 我已经设置了一个单独的spring安全应用程序,并实现了AuthenticationFailureHandler和AuthenticationSuccessHandler。 When I'm not using a custom AuthenticationFailureHandler I do get a BAD CREDENTIALS message on the screen.
当我不使用自定义AuthenticationFailureHandler时,在屏幕上会收到一条BAD CREDENTIALS消息。
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import com.tech.app.security.handler.CsegAuthenticationFailureHandler;
import com.tech.app.security.handler.CsegAuthenticationSuccessHandler;
@SuppressWarnings("deprecation")
@Configuration
@EnableWebSecurity
public class CsegSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
private CsegAuthenticationSuccessHandler successHandler;
@Autowired
private CsegAuthenticationFailureHandler failureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers(HttpMethod.POST, "/login").permitAll()
.anyRequest().authenticated().and()
.formLogin()
.successHandler(successHandler)
.failureHandler(failureHandler);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication().passwordEncoder(NoOpPasswordEncoder.getInstance()).withUser("user").password("password").roles("USER");
}
}
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;
import com.fasterxml.jackson.databind.ObjectMapper;
@Component
public class CsegAuthenticationFailureHandler implements AuthenticationFailureHandler{
private ObjectMapper objectMapper = new ObjectMapper();
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
System.out.println("credenciales invalidas");
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> data = new HashMap<>();
data.put("timestamp", Calendar.getInstance().getTime());
data.put("exception", exception.getMessage());
response.getOutputStream()
.println(objectMapper.writeValueAsString(data));
redirectStrategy.sendRedirect(request, response, "/login?error=true");
}
}
What I want is that on authentication failure save a record in the DB and return to the default login page generated by spring with the corresponding BAD CREDENTIALS message on the screen. 我想要的是在身份验证失败时将记录保存在DB中,并返回spring生成的默认登录页面,并在屏幕上显示相应的BAD CREDENTIALS消息。 Also I want to know where is that default AuthenticationFailureHandler and how it works.
我也想知道默认的AuthenticationFailureHandler在哪里以及它如何工作。 All I get is a blank screen
我所得到的只是一个空白屏幕
Redirection is made by setting proper Location
header to the response. 通过将适当的
Location
标头设置为响应来进行重定向。 Having youtput stream, you must first write protocol, headers, response body - in that specific order. 具有youtput流后,您必须首先以该特定顺序编写协议,标头,响应主体。
You cannot write headers if you started writing body (unless you are buffering the output). 如果您开始编写正文,则不能编写标头(除非您正在缓冲输出)。 So either write body, or do redirection.
因此,要么写正文,要么做重定向。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.