Spring Security 使用空的基本身份验证凭据响应空主体
[英]Spring Security responds empty body with empty basic auth credentials
问题描述
I'm trying to make a basic authentication service, for some business logic i need to acceept all basic auth credentials and make them hit another service (and there it will be fail if the credentials are wrong).
我正在尝试创建一个基本的身份验证服务,对于某些业务逻辑,我需要接受所有基本身份验证凭据并使它们访问另一个服务(如果凭据错误,它将失败)。 So I'm trying to throw an exception when the basic auth is not present, or are empty credentials.因此,当基本身份验证不存在或凭据为空时,我试图抛出异常。
This is my SecurityConfigurer:这是我的 SecurityConfigurer:
@Configuration
@EnableWebSecurity
public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Autowired
STGAuthenticationProvider authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().httpBasic();
}
}
And this is my CustomAuthProvider:这是我的 CustomAuthProvider:
@Component
public class STGAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
String password = authentication.getCredentials().toString();
if(!StringUtils.isBlank(username) && !StringUtils.isBlank(password)) {
return new UsernamePasswordAuthenticationToken(username, password, new ArrayList<>());
} else {
throw new STGNoCredentialsException(Constants.Error.NO_CREDENTIALS);
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
Actually my app gives me "401 Unauthorized" if i send a request with no auth (I would really like to get my custom Exception you can see at my CustomAuthProvider).实际上,如果我发送没有身份验证的请求,我的应用程序会给我“401 Unauthorized”(我真的很想获得我的自定义异常,您可以在我的 CustomAuthProvider 上看到)。 And when i send just 1 credential (username or password), or no one, my service answer me with empty body at POSTMAN.当我只发送 1 个凭证(用户名或密码)或没有任何凭证时,我的服务人员会在 POSTMAN 用空身体回答我。 Can you guys help me?你们能帮帮我吗?
1 个解决方案
解决方案1
1 2020-02-13 18:50:16
From what I understand, your issue is similar to one I had a few days ago: I needed to return a 401 instead of a 403 whenever an endpoint was called with no authorisation or with auth token expired.据我了解,您的问题与我几天前遇到的问题类似:每当在没有授权或身份验证令牌过期的情况下调用端点时,我都需要返回 401 而不是 403。
With respect to your code, I would add .exceptionHandling().authenticationEntryPoint(...) to your WebSecurityConfigurerAdapter as follows关于您的代码,我会将.exceptionHandling().authenticationEntryPoint(...) 添加到您的 WebSecurityConfigurerAdapter 中,如下所示
@Configuration
@EnableWebSecurity
public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
/* other stuff */
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.exceptionHandling().authenticationEntryPoint(/*custom exception*/);
}
}
and then, instead of /*custom exception*/ add something as new MyAuthException() , where MyAuthException looks like the following:然后,而不是 /*custom exception*/ 添加一些东西作为new MyAuthException() ,其中 MyAuthException 如下所示:
@Component
public class MyAuthException implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) /*throws ...*/ {
response.setStatus(/* your status */);
response.getWriter().write(/*the body of your answer*/);
/* whatever else you want to add to your response */
/* or you could throw an exception, I guess*/
}
}
(I don't remember and right now I can't check whether this class needs to be marked as @Component , I think not).(我不记得了,现在我无法检查这个类是否需要标记为@Component ,我认为不需要)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.