我希望我的authserver在身份验证失败时响应401 http代码。但是,当我在Formlogin配置中添加SimpleUrlAuthenticationFailureHandler时,响应将被OAuth2覆盖。
所以,我的问题是如何避免这种情况,为什么?
我的formlogin安全性和IAuthorizationServer的配置如下
http.requestMatchers()
.antMatchers("/login", "/oauth/authorize")
.and()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.failureHandler(new SimpleUrlAuthenticationFailureHandler())
.permitAll()
.and().csrf().disable()
.logout().logoutUrl("/logout").logoutSuccessUrl("/");
@Override
public void configure(
AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("clientId")
.secret(passwordEncoder.encode("secret"))
.authorizedGrantTypes("authorization_code")
.scopes("user_info")
.autoApprove(true);
}
<oauth>
<error_description>
Full authentication is required to access this resource
</error_description>
<error>unauthorized</error>
</oauth>
此响应实际上是来自OAuth2的响应。