使用Spring Security

时间:2015-05-15 14:52:14

标签: java oauth spring-security spring-security-oauth2

虽然这似乎是一件容易的事,但事实却恰恰相反。我尝试自定义OAuth2客户端身份验证请求的错误处理。这样做的目的是从响应消息中删除异常堆栈跟踪/消息。

上下文

  • vanilla Oauth2 Spring Security实施
  • Java Spring配置

完成任务所采取的步骤

  1. 创建OAuth2ExceptionRenderer
    2. 的自定义实现

  2. 创建@Bean OAuth2AuthenticationEntryPoint个实例 

    @Bean
public OAuth2AuthenticationEntryPoint clientAuthEntryPoint()
{
    OAuth2AuthenticationEntryPoint clientEntryPoint = new OAuth2AuthenticationEntryPoint();
    clientEntryPoint.setTypeName("Basic");
    clientEntryPoint.setRealmName("my-realm/client");
    clientEntryPoint.setExceptionRenderer(new CustomOAuth2ExceptionRenderer());
    return clientEntryPoint;
}

  3. 创建拒绝访问权限的处理程序 

    @Bean
public OAuth2AccessDeniedHandler accessDeniedHandler()
{
    OAuth2AccessDeniedHandler adh = new OAuth2AccessDeniedHandler();
    adh.setExceptionRenderer(new CustomOAuth2ExceptionRenderer());
    return adh;
}

  4. 使用AuthorizationServerSecurityConfigurer中的这些专门实现来增强AuthorizationServerConfiguration等等 

    @Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter
{
    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
    {
        oauthServer.authenticationEntryPoint(clientAuthEntryPoint());
        oauthServer.accessDeniedHandler(accessDeniedHandler());
        oauthServer.realm("my-realm");
    }
}

    5. OAuth2请求

    我们使用curl启动OAuth2 reuqests。以下是我们用于测试客户端身份验证的命令:

    curl --insecure -H "Accept: application/json" -X POST -iu adfadsf:asdvadfgadf "https://localhost:8430/oauth/token?grant_type=password$username=john&pasword=johny"

    观察到的行为

    由于客户端身份验证是基本身份验证,因此Spring Security会为该步骤分配BasicAuthenticationFilter。如果碰巧在与此步骤相关的后端出现错误(例如SQL异常),则Spring Security将不会选择OAuth2AuthenticationEntryPoint并将返回默认入口点BasicAuthenticationEntryPoint

    日志

    o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
o.s.s.w.a.www.BasicAuthenticationFilter  : Authentication request for failed: org.springframework.security.authentication.InternalAuthenticationServiceException: show me the money
s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@649f92da
s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed```

1 个答案:

答案 0 :(得分:0)

您可以尝试使用Roman Wozniak在您的机票#483上发布的解决方案。它对我来说非常好用:))

  • Roman Wozniak的代码:

    @Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

  //...

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer
                    .realm(RESOURCE_ID + "/client")
                    .accessDeniedHandler(accessDeniedHandler)
                    .authenticationEntryPoint(entryPoint);

        // This allows you to replace default filter for Basic authentication and customize error responses
        oauthServer.addTokenEndpointAuthenticationFilter(
                new BasicAuthenticationFilter(authenticationManager, entryPoint));
        }
}
相关问题
最新问题