authenticationentrypoint不处理复杂的authenticationexception

5w9g7ksd  于 2021-09-29  发布在  Java
关注(0)|答案(0)|浏览(211)

我正在尝试处理筛选器实现AbstractPreAuthenticationdProcessingFilter中引发的复杂身份验证异常,如下所示。

public class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
  @Override
  public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
    if (authException instanceof UsernameNotFoundException) {
      response.sendRedirect("https://myapp.com/signup");
    }
    if (authException instanceof CredentialsExpiredException) {
      response.sendRedirect("https://myapp.com/update/password");
    }
    if (authException instanceof LockedException) {
      response.sendRedirect("https://myapp.com/support/1");
    }
    if (authException instanceof DisabledException) {
      response.sendRedirect("https://myapp.com/support/2");
    }
    if (authException instanceof AccountExpiredException) {
      response.sendRedirect("https://myapp.com/update/account");
    }
    if (authException instanceof InsufficientAuthenticationException) {
      System.out.println("#########InsufficientAuthenticationException########");
    }
}

从中引发的每个异常
UserDetailsSchecker:https://github.com/spring-projects/spring-security/blob/006b9b960797d279b31cf8c8d16f1549c5632b2c/core/src/main/java/org/springframework/security/authentication/accountstatususerdetailschecker.java
用户详细信息服务:https://github.com/spring-projects/spring-security/blob/006b9b960797d279b31cf8c8d16f1549c5632b2c/core/src/main/java/org/springframework/security/core/userdetails/authenticationuserdetailsservice.java
但每次在我的测试中,都会在myauthenticationentrypoint中捕获UnficificientAuthenticationException。
这是我的网站安全配置。

@EnableWebSecurity
class MyWebSecurityConfigurer extends WebSecurityConfigurerAdapter {

  @Override
  public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/error");
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
      .antMatchers("/hello").hasRole("HELLO");
    http.exceptionHandling().authenticationEntryPoint(new MyAuthenticationEntryPoint());
    http.exceptionHandling().accessDeniedHandler(new MyAccessDeniedHandler());
    http.addFilter(getMyPreAuthenticatedProcessingFilter());
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  }

  @Override
  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(getPreAuthenticatedAuthenticationProvider());
  }

  public AbstractPreAuthenticatedProcessingFilter getMyPreAuthenticatedProcessingFilter() throws Exception {
    var myPreAuthenticatedProcessingFilter = new MyPreAuthenticatedProcessingFilter();
    myPreAuthenticatedProcessingFilter.setAuthenticationManager(authenticationManager());
    return myPreAuthenticatedProcessingFilter;
  }

  public PreAuthenticatedAuthenticationProvider getPreAuthenticatedAuthenticationProvider() {
    var preAuthenticatedAuthenticationProvider = new PreAuthenticatedAuthenticationProvider();
    preAuthenticatedAuthenticationProvider.setPreAuthenticatedUserDetailsService(new MyAuthenticationUserDetailsService());
    return preAuthenticatedAuthenticationProvider;
  }
}

我猜是
预验证处理筛选器中出现异常。
在securitycontext中设置anonymousauthenticationtoken,因为PreAuthenticationdProcessingFilter中的身份验证设置失败
在FilterSecurity Interceptor中,拒绝匿名身份验证令牌,并在stacktrace中保留accessdeniedexception
在exceptiontranslationfilter中,开始处理异常(accessdeniedexception),如下所示
https://docs.spring.io/spring-security/site/docs/4.2.11.release/apidocs/org/springframework/security/web/access/exceptiontranslationfilter.html

If an AccessDeniedException is detected, the filter will determine whether or not the user is an anonymous user. If they are an anonymous user, the authenticationEntryPoint will be launched. If they are not an anonymous user, the filter will delegate to the AccessDeniedHandler. By default the filter will use AccessDeniedHandlerImpl.

https://github.com/spring-projects/spring-security/blob/006b9b960797d279b31cf8c8d16f1549c5632b2c/web/src/main/java/org/springframework/security/web/access/exceptiontranslationfilter.java#l126
最后调用sendstartauthentication并将异常类型重写为insufficientauthenticationexception
https://github.com/spring-projects/spring-security/blob/006b9b960797d279b31cf8c8d16f1549c5632b2c/web/src/main/java/org/springframework/security/web/access/exceptiontranslationfilter.java#l192
Q如何在authenticationentrypoint中检测异常类型?
我正在尝试使用authenticationfailurehandler、成功检测PreAuthenticationdProcessingFilter中的异常类型来禁止授权端点(等“/world”)。
但是有了授权,我不知道如何检测。无法检测具有授权端点的authenticationentrypoint中的异常类型?

http.authorizeRequests()
      .antMatchers("/hello").hasRole("HELLO");
spring-security

暂无答案!

目前还没有任何答案,快来回答吧!

我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com