amp*_*ila 3 spring-security spring-java-config
我需要使用url中的令牌ID(或者可能在请求标头中)对一些休息服务进行身份验证 - 但这对于现在来说并不重要.我正在尝试使用java配置来设置它作为这篇文章的指南.我的问题是我不知道如何处理从提供程序验证失败时引发的"BadCredentialsException".这是我的安全配置:
public static class SecurityConfigForRS extends
WebSecurityConfigurerAdapter {
@Autowired
TokenAuthenticationProvider tokenAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.regexMatcher("^/rest.*")
.addFilterBefore(
new TokenAuthenticationFilter(
authenticationManagerBean()),
AbstractPreAuthenticatedProcessingFilter.class)
.and().csrf().disable();
}
}
现在我跳过其他实现 - 如果它有帮助我将在以后发布它们.
当令牌丢失或无效时,TokenAuthernticationProvider抛出a BadCredentialsException.我需要抓住这个并发回一个401-Unauthorized.是否有可能做到这一点?
我创建的第一个Filter是GenericFilterBean的子类,它不支持身份验证失败处理程序或成功处理程序.但是,AbstractAuthenticationProcessingFilter支持成功和失败处理程序.我的过滤器就像那样简单:
public class TokenAuthenticationProcessingFilter extends
AbstractAuthenticationProcessingFilter {
public TokenAuthenticationProcessingFilter(
RequestMatcher requiresAuthenticationRequestMatcher) {
super(requiresAuthenticationRequestMatcher);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException,
IOException, ServletException {
Authentication auth = new TokenAuthentication("-1");
try {
Map<String, String[]> params = request.getParameterMap();
if (!params.isEmpty() && params.containsKey("auth_token")) {
String token = params.get("auth_token")[0];
if (token != null) {
auth = new TokenAuthentication(token);
}
}
return this.getAuthenticationManager().authenticate(auth);
} catch (AuthenticationException ae) {
unsuccessfulAuthentication(request, response, ae);
}
return auth;
}}
我的http安全性是:
public static class SecurityConfigForRS extends
WebSecurityConfigurerAdapter {
@Autowired
TokenAuthenticationProvider tokenAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(tokenAuthenticationProvider);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean()
throws Exception {
return super.authenticationManagerBean();
}
@Bean
protected AbstractAuthenticationProcessingFilter getTokenAuthFilter()
throws Exception {
TokenAuthenticationProcessingFilter tapf = new TokenAuthenticationProcessingFilter(
new RegexRequestMatcher("^/rest.*", null));
tapf.setAuthenticationManager(authenticationManagerBean());
return tapf;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.regexMatcher("^/rest.*")
.addFilterAfter(getTokenAuthFilter(),
BasicAuthenticationFilter.class).csrf().disable();
}
}
该过滤器链的顺序并不重要!我把它放在BasicAuthenticationFilter之后,它运行正常.当然可能有一个更好的解决方案,但现在这个工作!
| 归档时间: |
|
| 查看次数: |
9218 次 |
| 最近记录: |