Spring Boot Security OAuth2自定义异常消息

问题描述 投票:1回答:1

我在我的春季启动RESTfull项目中有一些特殊情况,而不是对auth异常上的错误消息的标准定制。我需要不同的消息,具体取决于用户名或密码是否错误,或者用户名不存在,或者用户是否在数据库中被停用。目前,我只能收到消息"Bad credentials",还没有找到任何解决方案,如何根据某些用户属性或特殊情况来自定义消息。

我目前有这样的自定义身份验证提供程序:

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Autowired
    PasswordEncoder passwordEncoder;

    @Override
    public Authentication authenticate(Authentication authentication)
            throws org.springframework.security.core.AuthenticationException {


        String name = authentication.getName();
        String password = authentication.getCredentials().toString();

        UserDetails userDetails = userDetailsService.loadUserByUsername(name);


        if(passwordEncoder.matches(password, userDetails.getPassword())) {
            return new UsernamePasswordAuthenticationToken(userDetails.getUsername(), userDetails.getPassword(),
                    userDetails.getAuthorities());
        }

        return null;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }


}

而且我有这样的自定义用户详细信息服务:

@Service
public class CustomUserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService{

    @Autowired
    UserService userService; //my custom user service

    @Override
    public UserDetails loadUserByUsername(String username) {
        try {
            User user = userService.getUserByUsername(username);

            if(user == null) {
                throw new UsernameNotFoundException("Username doesn't exist");
            } else if(user.isDeactivated()) {
                throw new UsernameNotFoundException("User deactivated");
            }

            List<Authority> listOfAuthorities = userService.getAllAuthoritiesFromUser(user.getUserId());
            List<GrantedAuthority> grantedAuthorities = new ArrayList<>();

            for(Authority authority : listOfAuthorities) {
                grantedAuthorities.add(new SimpleGrantedAuthority(authority.getName()));
            }

            org.springframework.security.core.userdetails.User userNew =
            new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities);
            return userNew;

        }
        catch(Exception ex) {
            throw new UsernameNotFoundException("Username or password not correct");
        }

    }
}

我在哪里可以处理throw new UsernameNotFoundException中的消息并将其返回为"error_description"

编辑这也是我的SecurityConfigResourceServerConfig

@Configuration
@EnableWebSecurity
@Order(Ordered.LOWEST_PRECEDENCE)
public class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    CustomUserDetailsService userDetailsService;

    @Autowired
    private CustomAuthenticationProvider authProvider;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider)  
        .userDetailsService(userDetailsService)
        .passwordEncoder(passwordEncoder());
    }


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.addFilterBefore(new AuthenticationTokenFilter(authenticationManager()), BasicAuthenticationFilter.class);
    }

    // must be overriden and exposed as @Bean, otherwise boot's AuthenticationManagerConfiguration will take precedence
    @Bean @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter{

    @Autowired
    private AuthExceptionEntryPoint myEntryPoint;

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.anonymous().and().authorizeRequests().antMatchers("/**")
                .authenticated()
                .and()
                .exceptionHandling().authenticationEntryPoint(myEntryPoint).accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

}
java spring rest spring-boot spring-security-oauth2
1个回答
2
投票

Spring Security上的此通用消息是有目的的,它是混淆登录失败的真正原因是什么。

[一旦您提供所需的特定消息,例如Username doesn't existUser deactivatedPassword incorrect等,您开始为恶意用户提供过多信息。

更新

如果您仍然想那样做,则可以实现自己的AuthenticationFailureHandler,这样的方法应该起作用:

public class DefaultAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

        @Override
        public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, 
                                            AuthenticationException exception) throws IOException, ServletException {
            super.onAuthenticationFailure(request, response, exception);
            if (exception.getClass().isAssignableFrom(UsernameNotFoundException.class)) {
                response.sendRedirect("User not found")
            } else if (exception.getClass().isAssignableFrom(LockedException.class)) {
                response.sendRedirect("User Locked")
            }
        }
    }

0
投票

创建一个类,并用@ControllerAdvice对其进行注释。这将是处理每个单独异常的逻辑。


@ControllerAdvice
public class ExceptionTranslator {

    @ExceptionHandler(UsernameNotFoundException.class)
    public ResponseEntity<String> handleUsernameNotFoundException(UsernameNotFoundException ex) {
        return ResponseEntity
                .status(HttpStatus.UNAUTHORIZED)
                .body("your message goes here"); // could be a DTO
    }
}
© www.soinside.com 2019 - 2024. All rights reserved.