[英]Spring Boot - Custom Authentication Filter without using the WebSecurityConfigurerAdapter
[英]Authentication handling in Spring boot 2.x with WebSecurityConfigurerAdapter
我正在使用 spring 啟動 2.0.5 對 spring 安全性為 5.0.8
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
為了測試目的,我從 rest controller 拋出異常,如下所示。
@GetMapping("/greeting")
public Greeting greeting(@RequestParam(value = "name", defaultValue = "World") String name) {
throw new org.springframework.security.authentication.BadCredentialsException("yoyo");
}
這就是配置 class 的樣子,
@Configuration
@EnableWebSecurity
public class BasicConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/error");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/error").permitAll();
}
}
自從 spring 啟動文檔說,我添加了 /error,
Spring Boot 2.0 doesn't deviate too much from Spring Security's defaults, as a result of which some of the endpoints that bypassed Spring Security in Spring Boot 1.5 are now secure by default. 其中包括錯誤端點和 static 資源的路徑,例如 /css/ 、 /js/ 、 /images/ 、 /webjars/ 、 /**/favicon.ico 。 如果你想打開這些,你需要明確地配置它。
在 spring 引導應用程序 class 中添加以下內容
@SpringBootApplication(exclude = {SecurityAutoConfiguration.class })
當我到達 rest 端點時,我得到了,
{
"timestamp": "2021-01-17T03:52:50.069+0000",
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/greeting"
}
但我希望狀態 401 帶有 "message": "yoyo" 如下所示,
{
"timestamp": 2021-01-17T03:52:50.069+0000,
"status": 401,
"error": "Unauthorized",
"message": "yoyo",
"path": "/greeting"
}
我需要做哪些改變才能獲得響應
添加http.exceptionHandling().authenticationEntryPoint(..)
以獲得Unauthorized
而不是Forbidden
error
字段。
@Configuration
@EnableWebSecurity
public class BasicConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/error");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/error").permitAll();
http.exceptionHandling().authenticationEntryPoint((request, response, ex) -> {
// You can add more logic to return different error codes
response.sendError(401, "Unauthorized");
});
}
}
定義一個新的 class 返回ex.getMessage()
而不是Access Denied
for message
字段。
@Component
public class CustomErrorAttributes extends DefaultErrorAttributes {
@Override
protected String getMessage(WebRequest webRequest, Throwable error) {
return error.getMessage();
}
}
Output:
{
"timestamp": "2021-01-20T15:06:33.122+00:00",
"status": 401,
"error": "Unauthorized",
"message": "yoyo",
"path": "/greeting"
}
我猜你看不到你拋出的異常,因為“問候”端點是安全的,並且 spring 安全處理它自己。
將“/greeting”設置為不安全,以便您可以訪問它並獲取自定義錯誤
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/**").permitAll();
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.