使用Spring Security在客戶端身份驗證上自定義OAuth2錯誤響應

Question

雖然這似乎是一項容易的任務，但事實恰恰相反。 我正在嘗試自定義OAuth2客戶端身份驗證請求的錯誤處理。 這樣做的目的是從響應消息中刪除異常堆棧跟蹤/消息。

上下文

• vanilla Oauth2 Spring Security實施
• Java Spring配置

完成任務所采取的步驟

1. 創建OAuth2ExceptionRenderer的自定義實現

2. 創建@Bean的實例OAuth2AuthenticationEntryPoint

    @Bean public OAuth2AuthenticationEntryPoint clientAuthEntryPoint() { OAuth2AuthenticationEntryPoint clientEntryPoint = new OAuth2AuthenticationEntryPoint(); clientEntryPoint.setTypeName("Basic"); clientEntryPoint.setRealmName("my-realm/client"); clientEntryPoint.setExceptionRenderer(new CustomOAuth2ExceptionRenderer()); return clientEntryPoint; } 

3. 創建訪問被拒絕處理程序

    @Bean public OAuth2AccessDeniedHandler accessDeniedHandler() { OAuth2AccessDeniedHandler adh = new OAuth2AccessDeniedHandler(); adh.setExceptionRenderer(new CustomOAuth2ExceptionRenderer()); return adh; } 

4. 充實到AuthorizationServerSecurityConfigurer ，等等，在這些特定的實現AuthorizationServerConfiguration

    @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.authenticationEntryPoint(clientAuthEntryPoint()); oauthServer.accessDeniedHandler(accessDeniedHandler()); oauthServer.realm("my-realm"); } } 

OAuth2請求

我們使用curl來啟動OAuth2 reuqests。 以下是我們用於測試客戶端身份驗證的命令：

curl --insecure -H "Accept: application/json" -X POST -iu adfadsf:asdvadfgadf "https://localhost:8430/oauth/token?grant_type=password$username=john&pasword=johny"

觀察到的行為

由於客戶端身份驗證是基本身份驗證，因此Spring Security會將BasicAuthenticationFilter分配給該步驟。 如果在與此步驟相關的后端發生錯誤（例如SQL異常），則Spring Security將不會選擇OAuth2AuthenticationEntryPoint並將返回默認入口點BasicAuthenticationEntryPoint 。

日志

o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication request for failed: org.springframework.security.authentication.InternalAuthenticationServiceException: show me the money
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@649f92da
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed```

Answer 1

你可以嘗試羅馬沃茲尼亞克在你的機票＃483上發布的解決方案。 它對我來說效果很好:)

• 羅馬沃茲尼亞克代碼：

   @Configuration @EnableAuthorizationServer protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { //... @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .realm(RESOURCE_ID + "/client") .accessDeniedHandler(accessDeniedHandler) .authenticationEntryPoint(entryPoint); // This allows you to replace default filter for Basic authentication and customize error responses oauthServer.addTokenEndpointAuthenticationFilter( new BasicAuthenticationFilter(authenticationManager, entryPoint)); } }