Spring Security 与oauth2.0和表单登录

nszi6y05 于 2021-09-30 发布在 Java

关注(0)|答案(1)|浏览(342)

在我的spring boot应用程序中，我使用google进行基于表单的登录和基于oauth2.0的登录，我的安全配置定义为

http
    .cors()
        .and()
    .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
    .csrf().disable()
    .authorizeRequests()
        .antMatchers("/oauth2/**").permitAll()
        .anyRequest().authenticated()
        .and()
    .addFilter(new JWTAuthenticationFilter(authenticationManager()))
    .addFilter(jwtAuthorizationFilter)
    .formLogin()
        .and()
    .oauth2Login()
        .authorizationEndpoint()
            .authorizationRequestRepository(httpCookieOAuth2AuthorizationRequestRepository)
            .and()
        .userInfoEndpoint()
            .userService(customOAuth2UserService)
            .and()
        .successHandler(oAuth2AuthenticationSuccessHandler)
            .failureHandler(oAuth2AuthenticationFailureHandler);

我正在用jwt进行无状态身份验证，用于基于表单的登录 JWTAuthenticationFilter 按如下方式处理身份验证。
jwtauthenticationfilter

public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    //code to authenticate user and generate JWT
}

及 JWTAuthorizationFilter 验证jwt的后续请求，如下所示。
JWT授权过滤器

public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
    // code to perform authorization
}

现在来看oauth2.0 customOAuth2UserService 注册新用户并更新现有用户信息。 OAuth2AuthenticationSuccessHandler 在oauth2.0身份验证成功时生成jwt。现在，表单登录和oauth2.0的功能都很好，但我正在尝试解决一些需要帮助的小问题。
问题
如果我击中 http://localhost:8080/login 使用错误的表单登录凭据，我得到了一个以google登录作为响应主体、以200作为状态码的登录html表单，理想情况下，我想要400个错误请求之类的。
当我没有在请求中提供jwt令牌时，我得到的是相同的html响应体，带有200个状态代码，理想情况下，我也需要401。
我缺少什么配置，我可以更改什么来解决这些问题。

Java spring-boot spring-security google-oauth spring-security-oauth2

来源：https://stackoverflow.com/questions/67875673/spring-security-with-oauth2-0-and-form-login

1条答案

按热度按时间

iezvtpos1#

对于第二个问题，您可以将其添加到http安全配置中

.exceptionHandling().authenticationEntryPoint(jwtUnAuthorizedResponseAuthenticationEntryPoint)

然后在类中自动连接jwtunauthorizedresponseauthenticationentrypoint，并如下定义jwtunauthorizedresponseauthenticationentrypoint类

import java.io.IOException;
import java.io.Serializable;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

@Component
public class JwtUnAuthorizedResponseAuthenticationEntryPoint implements AuthenticationEntryPoint, Serializable {

    // they is always a generic message that is showed when the unauthenticated user
    // user makes a request
    // here in this class we will override and show what we want to show to an
    // unauthorized user
    // this is called internally

    private static final long serialVersionUID = -8970718410437077606L;

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException {
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                "You would need to provide the Jwt Token to Access This resource");
    }
}

它将抛出您想要的401错误

public static final int SC_UNAUTHORIZED = 401;

在里面 public interface HttpServletResponse extends ServletResponse

赞(0）回复(0）举报 2021-09-30

我来回答

Spring Security 与oauth2.0和表单登录

1条答案

相关问题

热门标签

最新问答