Spring Boot，默认身份验证失败处理程序如何工作

Question

这就是问题，我使用内存数据库开发了一个简单的spring boot security应用程序。身份验证成功后，它将重定向到另一个站点，我的问题来自身份验证失败，因为它向我显示了一个空白屏幕。

我已经建立了一个单独的spring安全应用程序，并实现了AuthenticationFailureHandler和AuthenticationSuccessHandler。当我不使用自定义AuthenticationFailureHandler时，我的确在屏幕上收到一条BAD CREDENTIALS消息。

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;

import com.tech.app.security.handler.CsegAuthenticationFailureHandler;
import com.tech.app.security.handler.CsegAuthenticationSuccessHandler;

@SuppressWarnings("deprecation")
@Configuration
@EnableWebSecurity
public class CsegSecurityConfig extends WebSecurityConfigurerAdapter{

    @Autowired
    private CsegAuthenticationSuccessHandler successHandler;
    @Autowired
    private CsegAuthenticationFailureHandler failureHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().antMatchers(HttpMethod.POST, "/login").permitAll()
            .anyRequest().authenticated().and()
            .formLogin()
            .successHandler(successHandler)
            .failureHandler(failureHandler);

    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication().passwordEncoder(NoOpPasswordEncoder.getInstance()).withUser("user").password("password").roles("USER");
    }



}

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.stereotype.Component;

import com.fasterxml.jackson.databind.ObjectMapper;

@Component
public class CsegAuthenticationFailureHandler implements AuthenticationFailureHandler{

    private ObjectMapper objectMapper = new ObjectMapper();
    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {

        System.out.println("credenciales invalidas");
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        Map<String, Object> data = new HashMap<>();
        data.put("timestamp", Calendar.getInstance().getTime());
        data.put("exception", exception.getMessage());

        response.getOutputStream()
          .println(objectMapper.writeValueAsString(data));
        redirectStrategy.sendRedirect(request, response, "/login?error=true");

    }

}

我想要的是在身份验证失败时将记录保存在DB中，然后返回spring生成的默认登录页面，并在屏幕上显示相应的BAD CREDENTIALS消息。我也想知道默认的AuthenticationFailureHandler在哪里以及它如何工作。我得到的只是一个空白屏幕

Answer 1

通过将适当的Location标头设置为响应来进行重定向。具有youtput流后，您必须首先以该特定顺序编写协议，标头，响应主体。

如果您开始编写正文，则不能编写标头（除非正在缓冲输出）。因此，要么写正文，要么做重定向。