Spring Oauth2 - 自定义异常处理程序

Question

在Spring Security基于Oauth2的身份验证中,当客户端发送需要刷新的访问令牌时,DefaultTokenServices类会抛出InvalidTokenException(参见第235行):

https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java

发生这种情况时的输出是这样的:

{"error":"invalid_token","error_description":"Invalid access token: a0cb5ab9-7281-46bd-a9a2-796a04a906c9"
}

我想改变这个输出,但我迷路了.其他一些答案建议设置一个自定义的exceptionRenderer,但这也不起作用,我的自定义异常渲染器在这些情况下永远不会被调用.

还有一种称为异常翻译器的东西,但无论如何它们都没有被称为.

我的春季配置的一部分:

<bean id="clientAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="typeName" value="Basic"/>
    <property name="exceptionRenderer" ref="myExceptionRenderer" />
</bean>


<bean id="oauthAuthenticationEntryPoint"
      class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
      <property name="exceptionRenderer" ref="myExceptionRenderer" />
      <property name="exceptionTranslator" ref="listyOauthExceptionTranslator" />
</bean>

<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" >
 <property name="exceptionRenderer" ref="myExceptionRenderer" />
 <property name="exceptionTranslator" ref="myExceptionTranslator" />
</bean>

<bean id="myExceptionRenderer" class="com.example.exceptions.MyOauth2ExceptionRenderer" />

<bean id="myExceptionTranslator" class="com.example.exceptions.MyOauth2ExceptionTranslator" />

异常渲染器:

public class MyExceptionRenderer implements OAuth2ExceptionRenderer {

@Override
public void handleHttpEntityResponse(HttpEntity<?> responseEntity, ServletWebRequest webRequest) throws Exception {
    System.out.println("Thrown exception");
}

}

我还添加了一个自定义的异常映射器,它应该获得所有异常,但是因为我假设它的另一个servlet,在这种情况下这不起作用吗？

@Provider
public class GenericExceptionMapper implements ExceptionMapper<Throwable> {

@Override 
public Response toResponse(Throwable ex) {
    System.out.println("MAPPING EXCEPTION");
    return Response.status(200).entity().build();
}
}

我可以捕获AuthenticationException的情况,但不能捕获任何InvalidTokenExceptions.

对此有何帮助？Spring实际上在哪里捕获此InvalidTokenException以及如何设置它以便我可以提供自定义输出？

Answer 1

InvalidTokenException扩展ClientAuthenticationException.所以你可以通过扩展ClientAuthenticationException和抛出它来创建自己的异常而不是InvalidTokenException

public class CustomException extends ClientAuthenticationException {

    public CustomException(String msg, Throwable t) {
        super(msg, t);
    }

    public CustomException(String msg) {
        super(msg);
    }
    @Override
    public String getOAuth2ErrorCode() {
        return "my_custom_exception";
    }
}

喜欢

throw new CustomException("Invalid access token: " + accessTokenValue);

在InvalidTokenException引发的错误中

 {"error":"invalid_token","error_description":"Invalid access token: a0cb5ab9-7281-46bd-a9a2-796a04a906c9"}

invalid_token由getOAuth2ErrorCode()InvalidTokenException方法返回,并且Invalid access token: a0cb5ab9-7281-46bd-a9a2-796a04a906c9是抛出异常时给出的消息.

如果你扔了

 throw new CustomException("This is my custom exception");

错误将显示为

{"error":"my_custom_exception","error_description":"This is my custom exception"}

my_custom_exception是从哪里来getOAuth2ErrorCode()的CustomException.