在我的春季启动网络应用程序中,我点击了一项第三方服务以进行授权,而我的应用程序只是内容提供商。父应用程序使用站点管理程序进行身份验证。我的应用程序在标头中获取用户ID,并调用第三方api来设置具有权限的UserDetails。
我的要求是处理授权第三方服务中断的情况。目前,在这种情况下,我将UserDetails设置为没有任何角色,并且由于每个端点都受授权约束,因此如果第三方授权服务关闭,则会得到403。
但是,如果用户缺乏授权并且授权服务已关闭,我想显示其他消息。
如果我通过从 UserDetailsServiceImpl-> loadUserByUserName()抛出自定义异常来处理授权服务,则 RequestHeaderAuthenticationFilter 会遇到此异常,并且请求将被过滤掉。知道如何完成这项工作吗?
安全配置
public class WebSecurityCustomConfig extends WebSecurityConfigAdapter {
private UserDetailsService userDetails;
protected void configure(HttpSecurity http) {
http.csrf().disable().authorizeRequests().antMatchers("/*).permitAll()
.anyRequests()
.hasAnyAuthority("MODULEX","MODULEY");
http.addFilterBefore(requestHeaderAuthFilter(),
BasicAuthenticationFilter.class);
http.exceptionHandling().authenticationEntryPoint(customEntryPoint());
}
protect void configure(AuthenticationManagerBuilder builder) {
PreAuthenticaticatedAuthenticationProvider auth = new
PreAuthenticaticatedAuthenticationProvider ();
auth.setPreAuthenticatedUserDetailsService(new
UserDetailsByNameServiceWrapper<>(userDetails));
}
}
自定义UserDetailsService
public class CustomUserDetailsService implements UserDetailsService {
private final AuthorizationService authService;
@Inject
public CustoUserDetailsService(AuthorizationService authService) {
this.authService = authService;
}
public UserDetails loadUserByUsername(String username) {
return new User(username, "",
authService.getAuthorities(username));
// authService is a third party jar and if their upstream service
//is down , it throws a runtime exception
}
}
如果我按照以下方式处理他们的错误,那么我最终得到403,但如果服务中断,我希望503,如果用户没有权限访问他所访问的端点,则我希望403。
当前处理身份验证服务异常
public UserDetails loadUserByUsername(String username) {
try{
return new User(username, "",
authService.getAuthorities(username));
}
catch(AuthServiceException e) {
return new User(username, "",
Collections.emptyList());
}
}
答案 0 :(得分:0)
实施AuthenticationEntryPoint
并重写commence()
方法,如下所示。
public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
}
}
然后在您的WebSecurityCustomConfig
类中创建一个方法,用于按如下方式初始化RestAuthenticationEntryPoint
类。
public AuthenticationEntryPoint authenticationEntryPoint() {
RestAuthenticationEntryPoint ep = new RestAuthenticationEntryPoint();
return ep;
}
然后将您的下一行更改为http.exceptionHandling().authenticationEntryPoint(customEntryPoint());
到
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint());