[英]Catching exception thrown in AuthenticationProvider
我正在实现自定义的“AuthenticationProvider”。 如果未通过身份验证,我将在“身份验证”函数中抛出异常,如下所示。
public class DelegatingLdapAuthenticationProvider implements AuthenticationProvider {
private ActiveDirectoryLdapAuthenticationProvider primaryProvider;
private List<ActiveDirectoryLdapAuthenticationProvider> secondaryProviders = new ArrayList<>();
public DelegatingLdapAuthenticationProvider() {
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
Authentication result = null;
AuthenticationException exception = null;
try {
result = primaryProvider.authenticate(authentication);
} catch (AuthenticationException e) {
exception = e;
for (ActiveDirectoryLdapAuthenticationProvider secondaryProvider : secondaryProviders) {
try {
result = secondaryProvider.authenticate(authentication);
if (result.isAuthenticated()) {
break;
}
} catch (AuthenticationException e1) {
exception = e;
}
}
}
if (result == null || !result.isAuthenticated()) {
throw exception;
}
return result;
}
我有如下所示的全局异常处理程序。
@ControllerAdvice
public class GlobalExceptionHandler {
@ExceptionHandler({NoPermissionException.class})
@ResponseBody
@ResponseStatus(value = HttpStatus.FORBIDDEN)
public Map<String, String> noPermission(NoPermissionException e) {
return createErrorResponse(e, "Don't have permissions");
}
@ExceptionHandler({Exception.class})
@ResponseBody
@ResponseStatus(value = HttpStatus.INTERNAL_SERVER_ERROR)
public Map<String, String> exceptionInProcessing(Exception e) {
return createErrorResponse(e, "Unable to process. Unknown error occurred: " + e.getMessage());
}
private Map<String, String> createErrorResponse(Exception e, String errorMessage) {
Map<String, String> errorResponse = new HashMap<>();
errorResponse.put("message", errorMessage);
errorResponse.put("reason", e.toString());
return errorResponse;
}
}
当在 'authenticate' 函数内抛出异常时,不会调用全局异常处理程序。 对于所有其他异常,它正在被调用。 我想在全局异常处理程序中捕获异常并返回自定义错误消息。 我怎样才能做到这一点? 任何帮助表示赞赏。 提前致谢。
GlobalExceptionHandler
用于控制器异常处理程序,但AuthenticationProvider
仍在过滤器中,如果要处理AuthenticationException
,则需要对其进行处理以实现AuthenticationEntryPoint
并覆盖commence
方法。
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException
AuthenticationException
和AccessDeniedException
已经由ExceptionTranslationFilter
处理。 你只需要注入AuthenticationEntryPoint
和AccessDeniedHandler
(它们处理AccessDeniedException
)
或者您可以在过滤器中捕获这些异常,然后在过滤器中处理它,例如AbstractAuthenticationProcessingFilter
AuthenticationFailureHandler
在控制器异常处理程序有机会捕获异常之前调用身份验证提供程序。
您可以覆盖AuthenticationFailureHandler来处理安全过滤器链级别的异常,查看示例
文档中描述的行为:
过滤器调用配置的 AuthenticationManager 来处理每个身份验证请求。 身份验证成功或身份验证失败后的目的地分别由 AuthenticationSuccessHandler 和 AuthenticationFailureHandler 策略接口控制。 过滤器具有允许您设置这些属性的属性,以便您可以完全自定义行为
正如@chaoluo已经说过,你需要实现AuthenticationEntryPoint
和覆盖commence
方法。 如果要返回错误 JSON 对象,可以执行以下操作:
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
//create errorObj
PrintWriter writer = response.getWriter();
mapper.writeValue(writer, errorObj);
writer.flush();
}
补充@chaoluo的回答:
AuthenticationEntryPoint
接口并通过HandlerExceptionResolver
解决异常:@Component("restAuthenticationEntryPoint")
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint, AccessDeniedHandler {
@Autowired
private HandlerExceptionResolver resolver;
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) {
resolver.resolveException(request, response, null, exception);
}
}
RestAuthenticationEntryPoint
注入您的WebSecurityConfigurerAdapter
实现并将其用作 authenticationEntryPoint:@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthenticationEntryPoint authenticationEntryPoint;
@Override
public void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.addFilterBefore(new JwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
}
HandlerExceptionResolver
解决了异常,我们可以使用典型的 Spring Web 错误处理使用@ControllerAdvice
和@ExceptionHandler
注释:@RestControllerAdvice
public abstract class ErrorsControllerAdvice {
@ExceptionHandler
public ResponseEntity<?> handleException(Throwable exception, WebRequest webRequest, Locale locale) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.