用Spring Boot 2代替403而不是403

loading...


5

使用Spring Boot 1.5.6.RELEASE我能够发送HTTP状态代码 401 而不是 403 ,如How let spring security response unauthorized(http 401 code) if requesting uri without authentication中所述,通过这样做:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //...
        http.exceptionHandling()
                .authenticationEntryPoint(new Http401AuthenticationEntryPoint("myHeader"));
        //...
    }
}

使用 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类 .

我刚升级到Spring Boot 2.0.0.RELEASE,发现不再有这样的类了(至少在那个包中) .

Q: Spring Boot中是否存在此类( Http401AuthenticationEntryPoint )?如果不是,那么在现有项目中保持相同行为以保持与依赖于此状态代码( 401 )而不是 403 的其他实现的一致性可能是一个很好的替代方法?

4回答

  • 0

    删除了 org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint 类,以支持 org.springframework.security.web.authentication.HttpStatusEntryPoint .

    在我的情况下,代码将是这样的:

    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            //...
            http.exceptionHandling()
                    .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
            //...
        }
    }
    

  • 0

    Http401AuthenticationEntryPoint已删除,请参阅10715

    删除Http401AuthenticationEntryPoint rwinch于2017年10月20日发表评论据我所知,它没有在Spring Boot代码库中使用,因此删除Http401AuthenticationEntryPoint可能会更好 .

    根据您的要求,您可以使用:


  • 2

    只是为了详细说明@ lealceldeiro的答案:

    在Spring Boot 2之前,我的Securiy Configuration类看起来像这样:

    @Configuration
    public class MyConfig extends WebSecurityConfigurerAdapter {
    
        @Bean
        public Http401AuthenticationEntryPoint securityException401EntryPoint() {
          return new Http401AuthenticationEntryPoint("Bearer realm=\"webrealm\"");
        }
    
        @Autowired
        private Http401AuthenticationEntryPoint authEntrypoint;
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
    
          // some http configuration ...
    
          // Spring Boot 1.5.x style
          http.exceptionHandling().authenticationEntryPoint(authEntrypoint);
        }
    //...
    }
    

    现在在Spring Boot 2中它看起来像这样:

    @Configuration
    public class MyConfig extends WebSecurityConfigurerAdapter {
    
        //Bean configuration for Http401AuthenticationEntryPoint can be removed
    
        //Autowiring also removed
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
    
          // some http configuration ...
    
          // Spring Boot 2 style
          http.exceptionHandling().authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        }
    //...
    }
    

    另见:https://github.com/spring-projects/spring-boot/issues/10715#issuecomment-363592444


  • 9

    您可以通过覆盖AuthenticationEntryPoint类来自定义您的逻辑,这应该是正常的:

    @Component public class AuthEntryPointException implements AuthenticationEntryPoint, Serializable {
    
        private static final long serialVersionUID = -8970718410437077606L;
    
        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException {
            response.setStatus(HttpStatus.SC_UNAUTHORIZED);
            response.setContentType("application/json");
            response.getWriter().write("{\"result\":\"UNAUTHORIZED\",\"message\":\"UNAUTHORIZED or Invalid Token\"}");
        }
    }
    

loading...

评论

暂时没有评论!