使用Spring Security在客户端身份验证上自定义OAuth2错误响应

Question

虽然这似乎是一项容易的任务,但事实恰恰相反.我正在尝试自定义OAuth2客户端身份验证请求的错误处理.这样做的目的是从响应消息中删除异常堆栈跟踪/消息.

上下文

• vanilla Oauth2 Spring Security实施
• Java Spring配置

完成任务所采取的步骤

1. 创建自定义实现 OAuth2ExceptionRenderer

2. 创建一个@Bean实例OAuth2AuthenticationEntryPoint

   @Bean
   public OAuth2AuthenticationEntryPoint clientAuthEntryPoint()
   {
       OAuth2AuthenticationEntryPoint clientEntryPoint = new OAuth2AuthenticationEntryPoint();
       clientEntryPoint.setTypeName("Basic");
       clientEntryPoint.setRealmName("my-realm/client");
       clientEntryPoint.setExceptionRenderer(new CustomOAuth2ExceptionRenderer());
       return clientEntryPoint;
   }
   

3. 创建访问被拒绝处理程序

   @Bean
   public OAuth2AccessDeniedHandler accessDeniedHandler()
   {
       OAuth2AccessDeniedHandler adh = new OAuth2AccessDeniedHandler();
       adh.setExceptionRenderer(new CustomOAuth2ExceptionRenderer());
       return adh;
   }
   

4. AuthorizationServerSecurityConfigurer除其他外,通过这些专门的实现来增强AuthorizationServerConfiguration

   @Configuration
   @EnableAuthorizationServer
   protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter
   {
       @Override
       public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
       {
           oauthServer.authenticationEntryPoint(clientAuthEntryPoint());
           oauthServer.accessDeniedHandler(accessDeniedHandler());
           oauthServer.realm("my-realm");
       }
   }
   

OAuth2请求

我们使用curl来启动OAuth2 reuqests.以下是我们用于测试客户端身份验证的命令:

curl --insecure -H "Accept: application/json" -X POST -iu adfadsf:asdvadfgadf "https://localhost:8430/oauth/token?grant_type=password$username=john&pasword=johny"

观察到的行为

由于客户端身份验证是基本身份验证,因此Spring Security将为该BasicAuthenticationFilter步骤分配一个.如果它恰好在与此步骤相关的后端中出现错误(例如SQL异常),则Spring Security将不会接收OAuth2AuthenticationEntryPoint并退回到默认入口点BasicAuthenticationEntryPoint.

日志

o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication request for failed: org.springframework.security.authentication.InternalAuthenticationServiceException: show me the money
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@649f92da
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed```

Answer 1

您可以尝试 Roman Wozniak 在您的票号#483上发布的解决方案。它对我来说效果很好:)

• 罗曼·沃兹尼亚克的代码：

  @Configuration
  @EnableAuthorizationServer
  protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
  
    //...
  
      @Override
      public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
          oauthServer
                      .realm(RESOURCE_ID + "/client")
                      .accessDeniedHandler(accessDeniedHandler)
                      .authenticationEntryPoint(entryPoint);
  
          // This allows you to replace default filter for Basic authentication and customize error responses
          oauthServer.addTokenEndpointAuthenticationFilter(
                  new BasicAuthenticationFilter(authenticationManager, entryPoint));
          }
  }