我在我的春季启动RESTfull项目中有一些特殊情况,而不是对auth异常上的错误消息的标准定制。我需要不同的消息,具体取决于用户名或密码是否错误,或者用户名不存在,或者用户是否在数据库中被停用。目前,我只能收到消息"Bad credentials"
,还没有找到任何解决方案,如何根据某些用户属性或特殊情况来自定义消息。
我目前有这样的自定义身份验证提供程序:
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
PasswordEncoder passwordEncoder;
@Override
public Authentication authenticate(Authentication authentication)
throws org.springframework.security.core.AuthenticationException {
String name = authentication.getName();
String password = authentication.getCredentials().toString();
UserDetails userDetails = userDetailsService.loadUserByUsername(name);
if(passwordEncoder.matches(password, userDetails.getPassword())) {
return new UsernamePasswordAuthenticationToken(userDetails.getUsername(), userDetails.getPassword(),
userDetails.getAuthorities());
}
return null;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
而且我有这样的自定义用户详细信息服务:
@Service
public class CustomUserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService{
@Autowired
UserService userService; //my custom user service
@Override
public UserDetails loadUserByUsername(String username) {
try {
User user = userService.getUserByUsername(username);
if(user == null) {
throw new UsernameNotFoundException("Username doesn't exist");
} else if(user.isDeactivated()) {
throw new UsernameNotFoundException("User deactivated");
}
List<Authority> listOfAuthorities = userService.getAllAuthoritiesFromUser(user.getUserId());
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
for(Authority authority : listOfAuthorities) {
grantedAuthorities.add(new SimpleGrantedAuthority(authority.getName()));
}
org.springframework.security.core.userdetails.User userNew =
new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities);
return userNew;
}
catch(Exception ex) {
throw new UsernameNotFoundException("Username or password not correct");
}
}
}
我在哪里可以处理throw new UsernameNotFoundException
中的消息并将其返回为"error_description"
?
编辑这也是我的SecurityConfig
和ResourceServerConfig
:
@Configuration
@EnableWebSecurity
@Order(Ordered.LOWEST_PRECEDENCE)
public class SecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
CustomUserDetailsService userDetailsService;
@Autowired
private CustomAuthenticationProvider authProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider)
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.addFilterBefore(new AuthenticationTokenFilter(authenticationManager()), BasicAuthenticationFilter.class);
}
// must be overriden and exposed as @Bean, otherwise boot's AuthenticationManagerConfiguration will take precedence
@Bean @Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter{
@Autowired
private AuthExceptionEntryPoint myEntryPoint;
@Override
public void configure(HttpSecurity http) throws Exception {
http.anonymous().and().authorizeRequests().antMatchers("/**")
.authenticated()
.and()
.exceptionHandling().authenticationEntryPoint(myEntryPoint).accessDeniedHandler(new OAuth2AccessDeniedHandler());
}
}
Spring Security上的此通用消息是有目的的,它是混淆登录失败的真正原因是什么。
[一旦您提供所需的特定消息,例如Username doesn't exist
,User deactivated
,Password incorrect
等,您开始为恶意用户提供过多信息。
更新
如果您仍然想那样做,则可以实现自己的AuthenticationFailureHandler
,这样的方法应该起作用:
public class DefaultAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
super.onAuthenticationFailure(request, response, exception);
if (exception.getClass().isAssignableFrom(UsernameNotFoundException.class)) {
response.sendRedirect("User not found")
} else if (exception.getClass().isAssignableFrom(LockedException.class)) {
response.sendRedirect("User Locked")
}
}
}
创建一个类,并用@ControllerAdvice
对其进行注释。这将是处理每个单独异常的逻辑。
@ControllerAdvice
public class ExceptionTranslator {
@ExceptionHandler(UsernameNotFoundException.class)
public ResponseEntity<String> handleUsernameNotFoundException(UsernameNotFoundException ex) {
return ResponseEntity
.status(HttpStatus.UNAUTHORIZED)
.body("your message goes here"); // could be a DTO
}
}