Spring Boot: disable security for status exception code
Question
I have a Spring Boot application, with security. And I have removed the authentication for this "/login" url.
My Security Configuration
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private final JwtFilter jwtFilter;
@Autowired
public SecurityConfiguration(JwtFilter jwtFilter) {
this.jwtFilter = jwtFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.anonymous().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.anyRequest().authenticated().and()
.apply(new JwtConfigurerAdapter(jwtFilter)).and()
.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs");
web.ignoring().antMatchers("/login");
}
}
My NotFound exception
@ResponseStatus(value = HttpStatus.NOT_FOUND)
public class NotFound extends RuntimeException {
public NotFound(String message) {
super(message);
}
}
My rest controller with login url and exception return value
@RestController
public class LoginController implements LoginService {
@Override
@GetMapping(value = "/login", produces = MediaType.APPLICATION_JSON_VALUE)
public UserInfo loginUsingJson(String username, String password) {
return findUser(username, password)).orElseThrow(() -> new NotFound("There does not exist any user by those credentials"));
}
}
Okay, here is my problem. When I call GET on "/login" and the UserInfo exists, it will return the user as JSON. This works because of web.ignoring().antMatchers("/login"); , but if the user does not exist, then the exception NotFound with the http error code 404, will not show. It is now returning error code 401 Not Authorized.
I'm guessing it has something todo with HttpSecurity, where I have to add some exception or something so the exception code can be returned. But where do I allow exception handling to be ignored in the authorization of HttpSecurity?
1 answers
solution1
3 2018-09-24 13:41:24
I found the answer, and would like to help others in the same situation.
My problem was that, when returning an rest exception with the errorcode 404 NotFound, Spring Boot would automatically redirect to url "/error". But this url map needs to be opened for business. So I had to ignore the authorization for this url also.
Here the solution is to add this:
web.ignoring().antMatchers("/error");
And here is the changed class:
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private final JwtFilter jwtFilter;
@Autowired
public SecurityConfiguration(JwtFilter jwtFilter) {
this.jwtFilter = jwtFilter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.anonymous().and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.anyRequest().authenticated().and()
.apply(new JwtConfigurerAdapter(jwtFilter)).and()
.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs");
web.ignoring().antMatchers("/login");
web.ignoring().antMatchers("/error");
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.