Ava*_*dor 8 java authentication spring spring-security
这是 Spring Security 配置的典型部分:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().and().cors().disable();
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests().antMatchers("/login", "/api/v1/auth/**").permitAll();
http.authorizeRequests().anyRequest().authenticated();
}
我有一个问题http.authorizeRequests().anyRequest().authenticated()。
添加后,当我调用不存在的端点时,例如:GET: /api/v1/not-existing,我收到403而不是预期的404响应。
我想保护我的所有资源,但我想在调用不存在的资源时得到 404。
我该如何修复它?
我对这种行为很满意。如果用户没有经过身份验证,为什么还要费心告诉他有关您系统的更多信息。就像如果一个用户没有权限查看你的硬盘,为什么需要让他可以发现你的硬盘目录树结构。
如果你确实想返回404,你需要AuthenticationEntryPoint在. 如果用户没有足够的权限访问端点(即发生),它们都会被调用。前者针对匿名用户,后者针对非匿名用户(即认证成功但没有足够权限的用户)AccessDeniedHandlerExceptionTranslationFilterAccessDeniedException
它们的默认实现(即Http403ForbiddenEntryPoint和AccessDeniedHandlerImpl)都简单地返回 403 now 。您必须自定义它们,以便它们首先检查是否存在为当前服务提供服务的现有端点HttpServletRequest,如果没有则返回 404。您可以通过循环遍历HandlerMapping内部DispatcherServlet并检查是否有任何一个HandlerMapping可以处理当前的来完成此操作HttpServletRequest。
首先创建一个执行此检查的对象:
public class HttpRequestEndpointChecker {
private DispatcherServlet servlet;
public HttpRequestEndpointChecker(DispatcherServlet servlet) {
this.servlet = servlet;
}
public boolean isEndpointExist(HttpServletRequest request) {
for (HandlerMapping handlerMapping : servlet.getHandlerMappings()) {
try {
HandlerExecutionChain foundHandler = handlerMapping.getHandler(request);
if (foundHandler != null) {
return true;
}
} catch (Exception e) {
return false;
}
}
return false;
}
}
然后自定义AuthenticationEntryPoint并AccessDeniedHandler使用该对象进行检查:
public class MyAccessDeniedHandler extends AccessDeniedHandlerImpl {
private HttpRequestEndpointChecker endpointChecker;
public MyAccessDeniedHandler(HttpRequestEndpointChecker endpointChecker) {
this.endpointChecker = endpointChecker;
}
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
if (!endpointChecker.isEndpointExist(request)) {
response.sendError(HttpServletResponse.SC_NOT_FOUND, "Resource not found");
} else {
super.handle(request, response, accessDeniedException);
}
}
}
public class MyAuthenticationEntryPoint extends Http403ForbiddenEntryPoint {
private HttpRequestEndpointChecker endpointChecker;
public MyAuthenticationEntryPoint(HttpRequestEndpointChecker endpointChecker) {
this.endpointChecker = endpointChecker;
}
@Override
public void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException {
if (!endpointChecker.isEndpointExist(request)) {
response.sendError(HttpServletResponse.SC_NOT_FOUND, "Resource not found");
} else {
super.commence(request, response, authException);
}
}
}
并配置它们:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DispatcherServlet dispatcherServlet;
@Autowired
private HttpRequestEndpointChecker endpointChecker;
@Override
protected void configure(HttpSecurity http) throws Exception {
..............
..............
http.exceptionHandling()
.authenticationEntryPoint(new MyAuthenticationEntryPoint(endpointChecker))
.accessDeniedHandler(new MyAccessDeniedHandler(endpointChecker));
}
@Bean
public HttpRequestEndpointChecker endpointChecker() {
return new HttpRequestEndpointChecker(dispatcherServlet);
}
}
| 归档时间: |
|
| 查看次数: |
2994 次 |
| 最近记录: |