无法处理失败/成功登录

时间:2019-03-18 13:53:13

标签: java spring-boot oauth-2.0 jhipster spring-security-oauth2

我目前在处理 Spring Boot REST API 服务器上的任何成功失败登录尝试时遇到问题。

我想知道用户是否输入登录 / 密码错误组合,以便执行一些代码(在数据库)。当前,成功/失败方法根本没有被调用,但是奇怪的是,注销是...

有关信息,当我尝试发送错误的登录组合时,我将其记录在日志中:Handling error: InvalidGrantException, Bad credentials。因此,可以轻松地处理此InvalidGrantException吗? (目前我只需要抓住这种情况)

任何帮助将不胜感激!

注意:该项目使用 OAuth 2 作为登录机制,我是Spring Boot的新手(来自Node.JS:p)。

谢谢!

OAuth2ServerConfiguration

@Configuration
public class OAuth2ServerConfiguration {

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

        @Inject
        private Http401UnauthorizedEntryPoint authenticationEntryPoint;

        @Inject
        private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;

        @Inject
        private MyLoginSuccessHandler authenticationSuccessHandler;

        @Inject
        private MyLoginFailureHandler authenticationFailureHandler;

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                .exceptionHandling()
                .authenticationEntryPoint(authenticationEntryPoint)
                .and()
                .formLogin()
                .loginPage("/oauth/token")
                .successHandler(authenticationSuccessHandler) // Here is the handler for success login
                .failureHandler(authenticationFailureHandler) // Here is the handler for failure login
                .and()
                .logout()
                .logoutUrl("/api/logout")
                .logoutSuccessHandler(ajaxLogoutSuccessHandler) // This handler works fine !
                .and()
                .csrf()
                .disable()
                .headers()
                .frameOptions().disable()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                .antMatchers("/api/authenticate").permitAll()
                .antMatchers("/api/register").permitAll();
        }
    }
}

MyLoginFailureHandler

@Component
public class MyLoginFailureHandler implements AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
        LOG.info("CATCHING A LOGIN FAILURE !");
        // Not called
        // Here I want to know if the user enter wrong combinaison of login/password
    }
}


@Component
public class MyLoginSuccessHandler implements AuthenticationSuccessHandler {
    private static final Logger LOG = LoggerFactory.getLogger(MyLoginSuccessHandler.class);
    public static final String BEARER_AUTHENTICATION = "Bearer ";

    @Inject
    private TokenStore tokenStore;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                Authentication authentication)
        throws IOException, ServletException {
        LOG.info("CATCHING A LOGIN SUCCESS !");
        // Not called
        // Actually not usefull for me but not working too :/
    }
}

=======编辑1:=======

我试图创建一个专门针对oAuth服务的新处理程序,但没有成功...

AuthorizationServerConfiguration

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Inject
    private DataSource dataSource;

    @Inject
    private JHipsterProperties jHipsterProperties;

    @Inject
    private OAuth2FailureHandler oAuth2FailureHandler; // Here is my handler

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Inject
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
        throws Exception {

        endpoints
            .tokenStore(tokenStore())
            .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer
            .allowFormAuthenticationForClients()
            .accessDeniedHandler(oAuth2FailureHandler); // Setting up my handler here
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
            .inMemory()
            .withClient(jHipsterProperties.getSecurity().getAuthentication().getOauth().getClientid())
            .scopes("read", "write")
            .authorities(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
            .authorizedGrantTypes("password", "refresh_token", "authorization_code", "implicit")
            .secret(jHipsterProperties.getSecurity().getAuthentication().getOauth().getSecret())
            .accessTokenValiditySeconds(jHipsterProperties.getSecurity().getAuthentication().getOauth().getTokenValidityInSeconds());
    }
}

OAuth2FailureHandler

@Component
public class OAuth2FailureHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException e) throws IOException, ServletException {
        LOG.info("CATCHING A LOGIN FAILURE !");
        // Not called
    }
}

=======编辑2:=======

所以我尝试将过滤器添加到我的SecurityConfiguration中,但是没有成功。

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Inject
    private UserDetailsService userDetailsService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .userDetailsService(userDetailsService)
                .passwordEncoder(passwordEncoder());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, "/**")
            .antMatchers("/app/**/*.{js,html}")
            .antMatchers("/bower_components/**")
            .antMatchers("/i18n/**")
            .antMatchers("/content/**")
            .antMatchers("/swagger-ui/index.html")
            .antMatchers("/api/register")
            .antMatchers("/api/activate")
            .antMatchers("/api/account/reset_password/init")
            .antMatchers("/api/account/reset_password/finish")
            .antMatchers("/test/**")
            .antMatchers("/h2-console/**")
            .antMatchers("/api/configuration");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .httpBasic().realmName("xx")
            .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
                .requestMatchers().antMatchers("/oauth/authorize")
            .and()
                .authorizeRequests()
                .antMatchers("/oauth/authorize").authenticated()
            .and() // <---- I added this 2 lines of codes
                .antMatcher("/**") // <-
                .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class); // <-
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
        return new SecurityEvaluationContextExtension();
    }

    // The new filter method
    private Filter ssoFilter() {
        OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter("/oauth/token");

        filter.setAuthenticationSuccessHandler(new SimpleUrlAuthenticationSuccessHandler() {
            public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
                super.onAuthenticationSuccess(request, response, authentication);
                QueryImpl.LOG.info("CATCHING A LOGIN SUCCESS !");
                // Not called :(
            }
        });


        return filter;
    }
}

0 个答案:

没有答案