问题描述

我有一个使用Jersey作为JAX-RS实现的Spring Boot应用程序.这是我的安全配置:

I have a Spring Boot app using Jersey as the JAX-RS implementation. This is my security configuration:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired TokenAuthenticationProvider tokenAuthenticationProvider;

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(tokenAuthenticationProvider);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(new AuthenticationTokenFilter(), BasicAuthenticationFilter.class)
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/dataHub/**")
                .authenticated();
    }
}

我想要做的是有一种方法来捕获我的TokenAuthenticationProvider抛出的异常，并将它们转换为我们已经同意的标准化JSON格式.有没有办法做到这一点?我尝试添加自定义AuthenticationFailureHandler，但无法正常工作.

What I want to be able to do is to have a way to catch the Exceptions thrown by my TokenAuthenticationProvider and convert them into a standardized JSON format that we have agreed upon. Is there a way to do this? I tried messing around with adding a custom AuthenticationFailureHandler, but couldn't get that to work.

推荐答案

WebSecurityConfigurerAdapter方法

HttpSecurity类具有一种称为 exceptionHandling 可以用来覆盖默认行为.以下示例介绍了如何自定义响应消息.

The HttpSecurity class has a method called exceptionHandling which can be used to override the default behavior. The following sample presents how the response message can be customized.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        // your custom configuration goes here
        .exceptionHandling()
        .authenticationEntryPoint((request, response, e) -> {
            String json = String.format("{\"message\": \"%s\"}", e.getMessage());
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            response.setContentType("application/json");
            response.setCharacterEncoding("UTF-8");
            response.getWriter().write(json);
        });
}

@ControllerAdvice方法-为什么在这种情况下不起作用

起初，我想到了@ControllerAdvice，它捕获了整个应用程序的身份验证异常.

At first I thought about @ControllerAdvice that catches authentication exceptions for the entire application.

import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;

@ControllerAdvice
public class AuthExceptionHandler {

    @ResponseStatus(HttpStatus.UNAUTHORIZED)
    @ExceptionHandler(AuthenticationException.class)
    @ResponseBody
    public String handleAuthenticationException(AuthenticationException e) {
        return String.format("{\"message\": \"%s\"}", e.getMessage());
    }

}

在上面的示例中，JSON是手动构建的，但是您可以简单地返回一个POJO，该POJO将被映射到JSON中，就像从常规REST控制器中一样.从Spring 4.3开始，您还可以使用 @ RestControllerAdvice ，它是@ControllerAdvice和@ResponseBody的组合.

In the example above, the JSON is built manually, but you can simply return a POJO which will be mapped into JSON just like from a regular REST controller. Since Spring 4.3 you can also use @RestControllerAdvice, which is a combination of @ControllerAdvice and @ResponseBody.

但是，此方法无效，因为该异常是由AbstractSecurityInterceptor引发并由 ExceptionTranslationFilter .

However, this approach doesn't work because the exception is thrown by the AbstractSecurityInterceptor and handled by ExceptionTranslationFilter before any controller is reached.

这篇关于Spring Boot REST API/Spring Security:身份验证失败时返回自定义消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！