首页 文章

用Spring Boot 2代替403而不是403

提问于
浏览
5

使用Spring Boot 1.5.6.RELEASE我能够发送HTTP状态代码 401 而不是 403 ,如How let spring security response unauthorized(http 401 code) if requesting uri without authentication中所述,通过这样做:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //...
        http.exceptionHandling()
                .authenticationEntryPoint(new Http401AuthenticationEntryPoint("myHeader"));
        //...
    }
}

使用 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类 .

我刚升级到Spring Boot 2.0.0.RELEASE,发现不再有这样的类了(至少在那个包中) .

Q: Spring Boot中是否存在此类( Http401AuthenticationEntryPoint )?如果不是,那么在现有项目中保持相同行为以保持与依赖于此状态代码( 401 )而不是 403 的其他实现的一致性可能是一个很好的替代方法?

java spring spring-boot spring-security

4 回答

  • 0

    删除了 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类,以支持 org.springframework.security.web.authentication.HttpStatusEntryPoint .

    在我的情况下,代码将是这样的:

    public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //...
        http.exceptionHandling()
                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        //...
    }
}
    回复于
  • 0

    Http401AuthenticationEntryPoint已删除,请参阅10715

    删除Http401AuthenticationEntryPoint rwinch于2017年10月20日发表评论据我所知,它没有在Spring Boot代码库中使用,因此删除Http401AuthenticationEntryPoint可能会更好 .

    根据您的要求,您可以使用:

    回复于
  • 2

    只是为了详细说明@ lealceldeiro的答案:

    在Spring Boot 2之前,我的Securiy Configuration类看起来像这样:

    @Configuration
public class MyConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public Http401AuthenticationEntryPoint securityException401EntryPoint() {
      return new Http401AuthenticationEntryPoint("Bearer realm=\"webrealm\"");
    }

    @Autowired
    private Http401AuthenticationEntryPoint authEntrypoint;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      // some http configuration ...

      // Spring Boot 1.5.x style
      http.exceptionHandling().authenticationEntryPoint(authEntrypoint);
    }
//...
}

    现在在Spring Boot 2中它看起来像这样:

    @Configuration
public class MyConfig extends WebSecurityConfigurerAdapter {

    //Bean configuration for Http401AuthenticationEntryPoint can be removed

    //Autowiring also removed

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      // some http configuration ...

      // Spring Boot 2 style
      http.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
    }
//...
}

    另见:https://github.com/spring-projects/spring-boot/issues/10715#issuecomment-363592444

    回复于
  • 9

    您可以通过覆盖AuthenticationEntryPoint类来自定义您的逻辑,这应该是正常的:

    @Component public class AuthEntryPointException implements AuthenticationEntryPoint, Serializable {

    private static final long serialVersionUID = -8970718410437077606L;

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
        AuthenticationException authException) throws IOException {
        response.setStatus(HttpStatus.SC_UNAUTHORIZED);
        response.setContentType("application/json");
        response.getWriter().write("{\"result\":\"UNAUTHORIZED\",\"message\":\"UNAUTHORIZED or Invalid Token\"}");
    }
}
    回复于

相关问题