用Spring Boot 2代替403而不是403

使用Spring Boot 1.5.6.RELEASE我能够发送HTTP状态代码 401 而不是 403 ,如How let spring security response unauthorized(http 401 code) if requesting uri without authentication中所述,通过这样做:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //...
        http.exceptionHandling()
                .authenticationEntryPoint(new Http401AuthenticationEntryPoint("myHeader"));
        //...
    }
}

使用 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类 .

我刚升级到Spring Boot 2.0.0.RELEASE,发现不再有这样的类了(至少在那个包中) .

Q: Spring Boot中是否存在此类( Http401AuthenticationEntryPoint )?如果不是,那么在现有项目中保持相同行为以保持与依赖于此状态代码( 401 )而不是 403 的其他实现的一致性可能是一个很好的替代方法?

回答(4)

2 years ago

删除了 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类,以支持 org.springframework.security.web.authentication.HttpStatusEntryPoint .

在我的情况下,代码将是这样的:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //...
        http.exceptionHandling()
                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        //...
    }
}

2 years ago

Http401AuthenticationEntryPoint已删除,请参阅10715

删除Http401AuthenticationEntryPoint rwinch于2017年10月20日发表评论据我所知,它没有在Spring Boot代码库中使用,因此删除Http401AuthenticationEntryPoint可能会更好 .

根据您的要求,您可以使用:

2 years ago

只是为了详细说明@ lealceldeiro的答案:

在Spring Boot 2之前,我的Securiy Configuration类看起来像这样:

@Configuration
public class MyConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public Http401AuthenticationEntryPoint securityException401EntryPoint() {
      return new Http401AuthenticationEntryPoint("Bearer realm=\"webrealm\"");
    }

    @Autowired
    private Http401AuthenticationEntryPoint authEntrypoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      // some http configuration ...

      // Spring Boot 1.5.x style
      http.exceptionHandling().authenticationEntryPoint(authEntrypoint);
    }
//...
}

现在在Spring Boot 2中它看起来像这样:

@Configuration
public class MyConfig extends WebSecurityConfigurerAdapter {

    //Bean configuration for Http401AuthenticationEntryPoint can be removed

    //Autowiring also removed

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      // some http configuration ...

      // Spring Boot 2 style
      http.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
    }
//...
}

另见:https://github.com/spring-projects/spring-boot/issues/10715#issuecomment-363592444

2 years ago

您可以通过覆盖AuthenticationEntryPoint类来自定义您的逻辑,这应该是正常的:

@Component public class AuthEntryPointException implements AuthenticationEntryPoint, Serializable {

    private static final long serialVersionUID = -8970718410437077606L;

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
        AuthenticationException authException) throws IOException {
        response.setStatus(HttpStatus.SC_UNAUTHORIZED);
        response.setContentType("application/json");
        response.getWriter().write("{\"result\":\"UNAUTHORIZED\",\"message\":\"UNAUTHORIZED or Invalid Token\"}");
    }
}