认证成功但授权不成功返回HTTP 403如何解决?

问题描述 投票:0回答:2

我有一个 Spring Boot 应用程序,它也使用 Spring Security。我想检查用户是否有权登录应用程序,但必须经过身份验证。要点是,在登录时,用户选择他们必须连接的项目。可以允许用户连接到一个项目,但不允许连接到另一项目。但是,如果用户输入无效凭据,则即使用户无权登录所选项目,也必须首先显示有关无效凭据的消息。因此,检查项目的权限必须在认证之后。

这是我的 SecurityConfig 类:

package org.aze.accountingprogram.config;

import org.aze.accountingprogram.models.CurrentUser;
import org.aze.accountingprogram.models.PermissionAliasConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().antMatchers("/lib/**").permitAll().anyRequest().fullyAuthenticated()
                .and()
                .formLogin().successHandler(successHandler()).loginPage("/login").permitAll()
                .and().exceptionHandling().accessDeniedHandler(accessDeniedHandler())
                .and()
                .logout().logoutUrl("/logout").logoutSuccessUrl("/login").permitAll();

        http.csrf().disable();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(new Md5PasswordEncoder());
    }

    private AccessDeniedHandler accessDeniedHandler() {
        return (request, response, e) -> {
            logger.debug("Returning HTTP 403 FORBIDDEN with message: \"{}\"", e.getMessage());
            response.sendError(HttpStatus.FORBIDDEN.value(), e.getMessage());
        };
    }

    private AuthenticationSuccessHandler successHandler() {
        return new AuthenticationSuccessHandler() {
            @Override
            public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
                CurrentUser user = (CurrentUser) authentication.getPrincipal();
                if (!user.hasAccessRight(PermissionAliasConstants.LOGIN)) {
                    throw new AccessDeniedException(String.format("User \"%s\" is not authorized to login \"%s\" project", user.getUsername(), user.getProject().getName()));
                }
            }
        };
    }

}

UserDetailsService 的实现:

package org.aze.accountingprogram.serviceimpl;

import org.aze.accountingprogram.common.Constants;
import org.aze.accountingprogram.exceptions.DataNotFoundException;
import org.aze.accountingprogram.models.AccessRightsPermission;
import org.aze.accountingprogram.models.CurrentUser;
import org.aze.accountingprogram.models.Project;
import org.aze.accountingprogram.models.User;
import org.aze.accountingprogram.service.AccessRightsService;
import org.aze.accountingprogram.service.ProjectService;
import org.aze.accountingprogram.service.UserService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import javax.servlet.http.HttpServletRequest;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;

@Service
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserService userService;

    @Autowired
    private ProjectService projectService;

    @Autowired
    private AccessRightsService accessRightsService;
    
    @Autowired
    private HttpServletRequest request;

    private static final Logger logger = LoggerFactory.getLogger(UserDetailsServiceImpl.class);

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user;
        Project project;
        final String projectId = request.getParameter(Constants.SESSION_PROJECT_ID);
        logger.debug("Username: {}, projectId: {}", username, projectId);

        try {
            user = userService.getUserByUsername(username);
        } catch (DataNotFoundException e) {
            throw new UsernameNotFoundException(e.getMessage(), e);
        }

        // Value of projectId is from combo box which is filled from table of projects
        // That is why there is no probability that the project will not be found
        project = projectService.getProjectById(Integer.valueOf(projectId));

        // User can have different rights for different projects
        List<AccessRightsPermission> accessRights = accessRightsService.getAccessRightsByProject(user.getId(), project.getId());
        Set<GrantedAuthority> authorities = new HashSet<>(accessRights.size());
        authorities.addAll(accessRights.stream().map(right -> new SimpleGrantedAuthority(right.getAlias())).collect(Collectors.toList()));

        final CurrentUser currentUser = new CurrentUser(user, project, authorities);

        // If to check LOGIN access right to project here, and user entered right credentials
        // then user will see message about invalid credentials.
        // .and().exceptionHandling().accessDeniedHandler(accessDeniedHandler()) at SecurityConfig is not working in this case
//        if (!currentUser.hasAccessRight(PermissionAliasConstants.LOGIN)) {
//            throw new AccessDeniedException(String.format("User \"%s\" is not authorized to login \"%s\" project", user.getUsername(), project.getName()));
//        }

        logger.info("Logged in user: {}", currentUser);
        return currentUser;
    }
}

和登录控制器

package org.aze.accountingprogram.controllers;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

import java.util.Optional;

@Controller
public class LoginController {

    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public ModelAndView getLoginPage(@RequestParam Optional<String> error) {
        return new ModelAndView("login", "error", error);
    }

}
如果用户没有登录项目的访问权限,

successHandler()
可以工作,并且应用程序会抛出 
AccessDeniedException
。但是 
accessDeniedHandler()
不起作用,也不会发送 HTTP 403。相反,我收到了 HTTP 500。

如何返回 HTTP 403 响应和异常消息(例如“用户“tural”无权登录“AZB”项目”)并在

LoginController
中处理(使用
@ResponseStatus(HttpStatus.FORBIDDEN)
@ExceptionHandler
)?

java spring spring-security
2个回答
0
投票

不确定这是否是您要寻找的,但您可以在控制器的登录 POST 方法中注入 

HttpServletResponse

因此,如果您的服务通知您授权不正确,您可以这样做

response.setStatus(403);

@RequestMapping(value = "/login", method = RequestMethod.POST)
public ModelAndView loginAction(@RequestParam String login, @RequestParam String pw, HttpServletResponse response) {
   doStuff(login,pw);
   if(service.isNotHappy(login,pw)){
      response.setStatus(403);
   }else{
      // happy flow
   }
   ...
}

//更新:

自从 

public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException

方法是

org.springframework.security.core.userdetails.UserDetailsService
接口的实现,实际上你不能像在
HttpServletResponse
带注释的控制器中那样注入
@RequestMapping

但是,这是另一个(希望是正确的!)解决方案:

1)在

loadUserByUsername(String x)
方法的实现中,如果用户没有访问权限,则抛出
CustomYourException

2) 创建一个新的 

ExceptionHandlingController
类,在 
@ControllerAdvice
处用 
class level
注释(并确保它像控制器一样被扫描),其中包含如下方法: 

@ControllerAdvice
public class ExceptionHandlingController {

   @ExceptionHandler({CustomYourException.class})
   public ModelAndView handleCustomExceptionError(HttpServletRequest request, HttpServletResponse response, CustomYourException cyee) {
       // this method will be triggered upon CustomYourException only
       // you can manipulate the response code here, 
       // return a custom view, use a special logger
       // or do whatever else you want here :)
   }
}

如您所见,将根据您在 

@ExceptionHandler
注释中定义的特定异常来调用此处理程序 - 非常有用! 从那里,您可以操作 HttpServletResponse 并设置所需的响应代码,和/或将用户发送到特定视图。

希望这能解决您的问题:)

0
投票

也许你应该 return;response.sendError()

之后
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.