我使用的是Spring Boot 2.0.5 + Spring Security 5.0.8。
我已经配置了以下预身份验证:
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
private static final RequestMatcher PROTECTED_URLS = new OrRequestMatcher(new AntPathRequestMatcher("/**"));
private static final String headerAccessId = "accessId";
@Autowired
RESTAuthenticationEntryPoint restAuthenticationEntryPoint;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(preauthAuthProvider());
}
@Bean
public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
PreAuthenticatedAuthenticationProvider preauthAuthProvider = new PreAuthenticatedAuthenticationProvider();
preauthAuthProvider
.setPreAuthenticatedUserDetailsService(new PreAuthenticatedUserDetailsService());
return preauthAuthProvider;
}
public RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter(
final AuthenticationManager authenticationManager) {
RequestHeaderAuthenticationFilter filter =
new RequestHeaderAuthenticationFilter();
filter.setPrincipalRequestHeader(headerAccessId);
filter.setCredentialsRequestHeader(headerAccessId);
filter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
return filter;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable().formLogin().disable().httpBasic().disable().logout().disable() // disable autoconfig
.exceptionHandling()
.authenticationEntryPoint(restAuthenticationEntryPoint)
.and()
.authorizeRequests()
.requestMatchers(PROTECTED_URLS).authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(requestHeaderAuthenticationFilter(authenticationManager()))
;
}
}
和自定义的authenticationEntryPoint:
@Component
public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(final HttpServletRequest request, final HttpServletResponse response,
final AuthenticationException authException) throws IOException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
}
}
但是我无法正确捕获此类异常:
ERROR o.a.c.c.C.[Tomcat].[localhost] -
Exception Processing ErrorPage[errorCode=0, location=/error]
org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: accessId header not found in request.
试图访问错误页面。
如何正确处理这些异常?我的锁链错了吗?