当Spring Boot安全性中的授权服务不起作用时的授权错误处理

时间:2019-03-14 18:54:44

标签: spring spring-boot spring-security

在我的春季启动网络应用程序中,我点击了一项第三方服务以进行授权,而我的应用程序只是内容提供商。父应用程序使用站点管理程序进行身份验证。我的应用程序在标头中获取用户ID,并调用第三方api来设置具有权限的UserDetails。

我的要求是处理授权第三方服务中断的情况。目前,在这种情况下,我将UserDetails设置为没有任何角色,并且由于每个端点都受授权约束,因此如果第三方授权服务关闭,则会得到403。

但是,如果用户缺乏授权并且授权服务已关闭,我想显示其他消息。

如果我通过从 UserDetailsS​​erviceImpl-> loadUserByUserName()抛出自定义异常来处理授权服务,则 RequestHeaderAuthenticationFilter 会遇到此异常,并且请求将被过滤掉。知道如何完成这项工作吗?

安全配置

public class WebSecurityCustomConfig extends WebSecurityConfigAdapter {
 private UserDetailsService userDetails;
 protected void configure(HttpSecurity http) {
   http.csrf().disable().authorizeRequests().antMatchers("/*).permitAll()
   .anyRequests()
   .hasAnyAuthority("MODULEX","MODULEY");

 http.addFilterBefore(requestHeaderAuthFilter(), 
   BasicAuthenticationFilter.class);
    http.exceptionHandling().authenticationEntryPoint(customEntryPoint());
 }

 protect void configure(AuthenticationManagerBuilder builder) {
   PreAuthenticaticatedAuthenticationProvider auth = new 
             PreAuthenticaticatedAuthenticationProvider ();
  auth.setPreAuthenticatedUserDetailsService(new 
      UserDetailsByNameServiceWrapper<>(userDetails));
  }
 }

自定义UserDetailsS​​ervice

  public class CustomUserDetailsService implements UserDetailsService {
    private final AuthorizationService authService;
    @Inject
     public CustoUserDetailsService(AuthorizationService authService) {
       this.authService = authService;
       }
       public UserDetails loadUserByUsername(String username) {
         return new User(username, "", 
                 authService.getAuthorities(username));  
        // authService is a  third party jar and if their upstream service 
           //is down , it throws a runtime exception
      }
      }

如果我按照以下方式处理他们的错误,那么我最终得到403,但如果服务中断,我希望503,如果用户没有权限访问他所访问的端点,则我希望403。

当前处理身份验证服务异常

     public UserDetails loadUserByUsername(String username) {
         try{
         return new User(username, "", 
                 authService.getAuthorities(username));  
       }
          catch(AuthServiceException e) {
               return new User(username, "", 
                 Collections.emptyList());  
               } 
      }

1 个答案:

答案 0 :(得分:0)

实施AuthenticationEntryPoint并重写commence()方法,如下所示。

public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(
            HttpServletRequest request, 
            HttpServletResponse response, 
            AuthenticationException authException) throws IOException, ServletException {

        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");

    }

}

然后在您的WebSecurityCustomConfig类中创建一个方法,用于按如下方式初始化RestAuthenticationEntryPoint类。

public AuthenticationEntryPoint authenticationEntryPoint() {
    RestAuthenticationEntryPoint ep = new RestAuthenticationEntryPoint();
    return ep;
}

然后将您的下一行更改为http.exceptionHandling().authenticationEntryPoint(customEntryPoint());

http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint());