堆栈内存溢出
  繁体   English   中英

Spring Boot Security 不会抛出 401 Unauthorized Exception 但 404 Not Found

[英]Spring Boot Security does not throw 401 Unauthorized Exception but 404 Not Found

 原文  2016-01-12 20:26:31       java/ spring/ authentication/ spring-security

问题描述

我的身份验证基于spring-boot-security-example 当我输入无效令牌时,我想抛出 401 Unauthorized 异常。 但是,我总是得到 404 找不到资源。 我的配置设置了一个异常处理,但它被忽略了——可能是因为我的 AuthenticationFilter 是之前添加的,并且请求没有到达我的异常处理程序。

我需要更改什么才能抛出 401 异常?

我有一个身份验证过滤器:

public class AuthenticationFilter extends GenericFilterBean {

...

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpRequest = asHttp(request);
    HttpServletResponse httpResponse = asHttp(response);
    Optional<String> token = Optional.fromNullable(httpRequest.getHeader("X-Auth-Token"));

    try {
        if (token.isPresent()) {
            logger.debug("Trying to authenticate user by X-Auth-Token method. Token: {}", token);
            processTokenAuthentication(token);
            addSessionContextToLogging();
        }

        logger.debug("AuthenticationFilter is passing request down the filter chain");
        chain.doFilter(request, response);
    } catch (InternalAuthenticationServiceException internalAuthenticationServiceException) {
        SecurityContextHolder.clearContext();
        logger.error("Internal authentication service exception", internalAuthenticationServiceException);
        httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
    } catch (AuthenticationException authenticationException) {
        SecurityContextHolder.clearContext();
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authenticationException.getMessage());
    } finally {
        MDC.remove(TOKEN_SESSION_KEY);
        MDC.remove(USER_SESSION_KEY);
    }
}

private void addSessionContextToLogging() {
    ...
}

...

private void processTokenAuthentication(Optional<String> token) {
    Authentication resultOfAuthentication = tryToAuthenticateWithToken(token);
    SecurityContextHolder.getContext().setAuthentication(resultOfAuthentication);
}

private Authentication tryToAuthenticateWithToken(Optional<String> token) {
    PreAuthenticatedAuthenticationToken requestAuthentication = new PreAuthenticatedAuthenticationToken(token, null);
    return tryToAuthenticate(requestAuthentication);
}

private Authentication tryToAuthenticate(Authentication requestAuthentication) {
    Authentication responseAuthentication = authenticationManager.authenticate(requestAuthentication);
    if (responseAuthentication == null || !responseAuthentication.isAuthenticated()) {
        throw new InternalAuthenticationServiceException("Unable to authenticate Domain User for provided credentials");
    }
    logger.debug("User successfully authenticated");
    return responseAuthentication;
}

AuthenticationProvider 实现:

@Provider
public class TokenAuthenticationProvider implements AuthenticationProvider {

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    Optional<String> token = (Optional) authentication.getPrincipal();
    if (!token.isPresent() || token.get().isEmpty()) {
        throw new BadCredentialsException("No token set.");
    }
    if (!myCheckHere()){
        throw new BadCredentialsException("Invalid token");
    }

    return new PreAuthenticatedAuthenticationToken(myConsumerObject, null, AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_API_USER"));
}

...

}

以及如下所示的配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.
            csrf().disable().
            sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
            and().
            anonymous().disable().
            exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint());

    http.addFilterBefore(new AuthenticationFilter(authenticationManager()), BasicAuthenticationFilter.class);
}


@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(tokenAuthenticationProvider());
}


@Bean
public AuthenticationProvider tokenAuthenticationProvider() {
    return new TokenAuthenticationProvider();
}

@Bean
public AuthenticationEntryPoint unauthorizedEntryPoint() {
    return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}

4 个解决方案

解决方案1
 17 已采纳  2016-01-20 21:39:55

我在这个线程中找到了答案: Return HTTP Error 401 Code & Skip Filter Chains

代替

httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, authenticationException.getMessage());

我需要打电话

httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

当我不继续调用它并将状态设置为不同的代码时,链条似乎会停止 - 异常被正确抛出

解决方案2
 5  2016-01-17 17:17:25

我通过在我的顶级@SpringBootApplication类上添加以下注释来解决它:

@EnableAutoConfiguration(exclude = {ErrorMvcAutoConfiguration.class})

Spring Boot 会不会找不到它的默认错误页面?

解决方案3
 2  2018-09-26 21:40:26

除了上述答案之外,我修改了我的代码以实现 401,之前我在无效或丢失的令牌上得到 500。

public class JwtAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {

    public JwtAuthenticationTokenFilter() {
        super("/secure/**");
    }

    @Autowired
    private JWTService jwtService;

    @Override
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {


        String header = httpServletRequest.getHeader("Authorization");


        if (header == null || !header.startsWith("Bearer ")) {

            httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                    "Please pass valid jwt token.");


        }else if(jwtService.validate(header.substring(7))==null){

            httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                    "jwt token is invalid or incorrect");

        }
        else{

            String authenticationToken = header.substring(7);

            JwtAuthenticationToken token = new JwtAuthenticationToken(authenticationToken);
            return getAuthenticationManager().authenticate(token);
        }

        return null;

    }

}

解决方案4
 0  2021-02-18 14:50:19

我知道这是一个老问题。 如果其他人方便的话,我只是添加它。

@Bean
public AuthenticationEntryPoint unauthorizedEntryPoint() {
    return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, HttpStatus.UNAUTHORIZED.getReasonPhrase());
}

它也应该工作。 我刚刚调用了sendError()的另一个重载方法

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 错误 401 在 spring 启动/spring 安全中未经授权 Postman 给出 401 Unauthorized - “spring boot security” Spring Boot 安全性 - Postman 提供 401 Unauthorized 在 Spring Boot JPA 中使用 spring 安全 BCrypt 时出现 401 未授权 Spring Boot,Spring Security 返回状态 401 而不是 404,用于“未找到 HTTP 请求的映射” Spring Security - 401 未经授权的访问 Spring 安全中的 401 未经授权的错误 Spring 引导 401 未授权 Postman Spring 引导 - 抛出异常或指示未找到项目 401 未授权 spring 开机测试
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM