问题描述
我仍然有新的春天尤其是在春季安全。此应用程序是RESTful应用程序。
I still new with Spring especially spring security. This application is Restful application.
以下是从片段@RestController:
Following is snippet from @RestController :
@RequestMapping(value = "/new", method = RequestMethod.POST)
@PreRegistration("new")
@ResponseBody
public ResponseEntity<Void> newUser(@RequestBody @Valid TempUser user, UriComponentsBuilder ucBuilder) {
registerService.addUser(user);
HttpHeaders headers = new HttpHeaders();
headers.setLocation(ucBuilder.path("/register/{userName}").buildAndExpand(user.getUserName()).toUri());
return new ResponseEntity<Void>(headers, HttpStatus.CREATED);
}
以下是从CustomAuthenticationProvider的片段:
Following is the snippet from CustomAuthenticationProvider:
@Override
public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
final String name = authentication.getName();
final String password = authentication.getCredentials().toString();
if (name.equals("admin") && password.equals("system")) {
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
final UserDetails principal = new User(name, password, grantedAuths);
final Authentication auth = new UsernamePasswordAuthenticationToken(principal, password, grantedAuths);
return auth;
}
else {
throw new BadCredentialsException("NOT_AUTHORIZED");
}
}
SecurityConfig:
SecurityConfig :
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.httpBasic()
.and()
.csrf().disable();
}
我尽量做到当CustomAuthenticationProvider引发的异常(如坏凭据或押金完整认证...,我想自定义的响应和JSON格式返回响应正文。
What I try to achieve is when the CustomAuthenticationProvider thrown an exception (e.g "bad credential" or "Full authentication required...", I want to customize the response and return to the Response Body in JSON format.
我所做的是创建一个新的异常,并使用AOP调用它。但是好像不工作。我还试图用@ControllerAdvice,但似乎不是控制器(我猜)。
What I have done is to create a new exception and invoke it using AOP. But it seems like not working. I also tried to use @ControllerAdvice, but it seems like not working as well since the CustomAuthenticationProvider is outside the controller (I guess).
感谢您。
推荐答案
有就是这个更好的方法。你应该在春季安全配置和类,它实现的AuthenticationEntryPoint
界面添加的AuthenticationEntryPoint
。事情是这样的:
There is a better way for this. You should add authenticationEntryPoint
in spring security config and class, which implements AuthenticationEntryPoint
interface. Something like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login").permitAll()
.anyRequest().authenticated()
.and()
.requestCache()
.requestCache(new NullRequestCache())
.and()
.httpBasic()
// --> begin change: new lines added
.and()
.exceptionHandling().authenticationEntryPoint(new AuthExceptionEntryPoint())
// <-- end change
.and()
.csrf().disable();
}
AuthExceptionEntryPoint类,生产JSON ObjectMapper
使用:
AuthExceptionEntryPoint class, for producing JSON Jackson ObjectMapper
used:
public class AuthExceptionEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
List<String> errors = new ArrayList<>();
errors.add("Unauthorized");
response.setContentType("application/json");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
try {
ObjectMapper mapper = new ObjectMapper();
mapper.writeValue(response.getOutputStream(), errors);
} catch (Exception e) {
throw new ServletException();
}
}
}
有关春季安全配置的更多信息,你可以阅读的
这篇关于春季安全与@RestController - JSONish CustomAuthenticationProvider响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!