UserDetailsS​​ervice的异常处理

时间:2017-05-02 14:07:50

标签: java spring spring-security exception-handling

我对Spring Security中的异常处理提出了一个问题。

我已定义CustomUserDetailsService,有时(当SM_USER标头中的值为false时)应该抛出异常。

public class CustomUserDetailsService implements UserDetailsService {   

@Override
public UserDetails loadUserByUsername(String smHeaderValue)   throws UsernameNotFoundException {                

    ... throw new UsernameNotFoundException("wrong value of the sm Header");        
    ...
}

我希望在这种情况下抛出Http状态代码403(AccessDenied),但Spring Security始终显示500.并且无法显示标准(对于我的软件)异常表示。我认为异常解析器可以帮助我。但据我所知,标准异常解析器不适合SpringSecurity,其范围仅为Spring MVC。

@ControllerAdvice

公共类ExceptionResolver扩展了AbstractHandlerExceptionResolver {

@Override
protected ModelAndView doResolveException(HttpServletRequest request,
        HttpServletResponse responce, Object handler, Exception exception) {

    ModelAndView toReturn = new ModelAndView();
    toReturn.setView(new MappingJackson2JsonView());
    toReturn.addObject("message", exception.getMessage());
    toReturn.addObject("exceptionClass", exception.getClass().getCanonicalName());

    HttpStatus exceptionStatus = getStatus(exception);
    responce.setStatus(exceptionStatus.value());        
    return toReturn;
}

private HttpStatus getStatus(Exception exception){

    if (exception instanceof UsernameNotFoundException)
        return HttpStatus.FORBIDDEN;        
    return HttpStatus.BAD_REQUEST;
}   
}

有没有办法解决UserDetailsService的错误?

更新 

15:42:37,948 DEBUG qtp1052330967-15 security.DelegateRequestMatchingFilter:137 - preAuthenticatedPrincipal = dhdg, trying to authenticate
15:42:37,950  INFO qtp1052330967-15 security.CustomUserDetailsService:57 - looking for authorities for sm header value: [dhdg]
15:42:37,989 DEBUG qtp1052330967-15 security.DelegateRequestMatchingFilter:225 - Cleared security context due to exception
org.springframework.security.core.userdetails.UsernameNotFoundException: there is no opened sessions with this sm user header value
    at de.escosautomation.restserver.security.CustomUserDetailsService.loadUserByUsername(CustomUserDetailsService.java:73)
    at org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper.loadUserDetails(UserDetailsByNameServiceWrapper.java:53)
    at org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.authenticate(PreAuthenticatedAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:145)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:113)
    at de.escosautomation.restserver.security.DelegateRequestMatchingFilter.doFilter(DelegateRequestMatchingFilter.java:51)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:497)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Thread.java:745)

2 个答案:

答案 0 :(得分:1)

我想我看到这里出了什么问题。由于您使用PreAuthenticatedAuthenticationProvider,因此未真正处理UsernameNotFoundException。这是因为在典型的预认证环境中,已经验证用户是否存在。

相反,您应该返回状态已禁用已锁定UserDetails对象。

如果您根本无法阅读用户信息,则可以抛出AuthenticationServiceException

答案 1 :(得分:0)

您所询问的内容与Spring Security配置有关,通常当我们想要更改Http Error代码时,我们通过实现自己的  认证失败处理程序和身份验证成功处理程序,然后根据需要指向那些bean:

 <form-login
     authentication-success-handler-ref="mySuccessHandler"
     authentication-failure-handler-ref="myFailureHandler"
  />

 <beans:bean id="mySuccessHandler"
   class="org.rest.security.MySavedRequestAwareAuthenticationSuccessHandler"/>
   <beans:bean id="myFailureHandler" class=
  "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>

为了您的其他疑问

“我认为异常解析器可以帮助我。但据我所知,标准异常解析器不适合SpringSecurity,其范围仅为Spring MVC”

我们应该在我们的自定义UserDetailsS​​ervice实现中抛出异常以打破身份验证链,并让Spring Security知道用户提供的凭据(例如示例)不匹配。

如果我错过了要解释的内容,请告诉我。我希望这会有所帮助,是的

Happy Codings !!!!!!!!!!!

相关问题
最新问题