我正在使用Spring MVC @ControllerAdvice并@ExceptionHandler处理REST Api的所有异常.它适用于Web mvc控制器抛出的异常,但它不适用于spring安全自定义过滤器抛出的异常,因为它们在调用控制器方法之前运行.
我有一个自定义弹簧安全过滤器,它执行基于令牌的身份验证:
public class AegisAuthenticationFilter extends GenericFilterBean {
...
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
try {
...
} catch(AuthenticationException authenticationException) {
SecurityContextHolder.clearContext();
authenticationEntryPoint.commence(request, response, authenticationException);
}
}
}
使用此自定义入口点:
@Component("restAuthenticationEntryPoint")
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint{
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authenticationException) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authenticationException.getMessage());
}
}
并使用此类来处理全局异常:
@ControllerAdvice
public class RestEntityResponseExceptionHandler extends ResponseEntityExceptionHandler {
@ExceptionHandler({ InvalidTokenException.class, AuthenticationException.class })
@ResponseStatus(value = HttpStatus.UNAUTHORIZED) …我希望在Spring对请求进行身份验证之后对某些参数进行一些额外的检查(在过滤器中),并基于那些想要允许或阻止登录的检查.如果检查失败,那么我想发送一个401响应而不是春天发送的200.任何帮助将受到高度赞赏.
提前致谢!
我的身份验证基于spring-boot-security-example.当我输入无效令牌时,我想抛出401 Unauthorized异常.但是,我总是找不到404资源.我的配置设置了一个异常处理,但它被忽略 - 可能是因为之前添加了我的AuthenticationFilter而请求没有到达我的异常处理程序.
我需要改变什么才能抛出401异常?
我有一个身份验证过滤器:
public class AuthenticationFilter extends GenericFilterBean {
...
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = asHttp(request);
HttpServletResponse httpResponse = asHttp(response);
Optional<String> token = Optional.fromNullable(httpRequest.getHeader("X-Auth-Token"));
try {
if (token.isPresent()) {
logger.debug("Trying to authenticate user by X-Auth-Token method. Token: {}", token);
processTokenAuthentication(token);
addSessionContextToLogging();
}
logger.debug("AuthenticationFilter is passing request down the filter chain");
chain.doFilter(request, response);
} catch (InternalAuthenticationServiceException internalAuthenticationServiceException) {
SecurityContextHolder.clearContext();
logger.error("Internal authentication service exception", internalAuthenticationServiceException);
httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); …我目前有这个RequestMapping,我通过正则表达式使用验证:
@RequestMapping(value = "/example/{id}", method = GET)
public Response getExample(
@PathVariable("id") String id,
@RequestParam(value = "myParam", required = true) @Valid @Pattern(regexp = MY_REGEX) String myParamRequest,
@RequestParam(value = "callback", required = false) String callback,
@RequestHeader(value = "X-API-Key", required = true) @Valid @Pattern(regexp = SEGMENTS_REGEX) String apiKeyHeader) {
// Stuff here...
}
然而,正则表达是不够的.相反,我想对header属性进行一些自定义验证,即
if (!API_KEY_LIST.contains(apiKeyHeader)) {
throw Exception();
}
这可能吗?
spring ×3
java ×2
filter ×1
servlets ×1
spring-boot ×1
spring-mvc ×1
spring-rest ×1
validation ×1