时间戳

首页 > 解决方案 > spring security:BadCredendtials 异常未由链处理且未返回 401

java - spring security:BadCredendtials 异常未由链处理且未返回 401

问题描述

早上好,

我正在关注本教程,以使 spring security 与 jwt 令牌一起工作。

*我的环境版本* spring boot:2.0.1 RELEASE

春季安全配置

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
            .cors().configurationSource(request -> getCorsConfiguration())
            .and()
            .sessionManagement()
            .sessionCreationPolicy(STATELESS)
            .and()
            .exceptionHandling()
            .defaultAuthenticationEntryPointFor(forbiddenEntryPoint(), PROTECTED_URLS)
            .and()
            .authenticationProvider(provider)
            .addFilterBefore(restAuthenticationFilter(), AnonymousAuthenticationFilter.class)
            .authorizeRequests()
            .requestMatchers(PROTECTED_URLS)
            .authenticated()
            .and()
            .csrf().disable()
            .formLogin().disable()
            .httpBasic().disable()
            .logout().disable();
}
@Bean
TokenAuthenticationFilter restAuthenticationFilter() throws Exception {
    final TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS);
    filter.setAuthenticationManager(authenticationManager());
    filter.setAuthenticationSuccessHandler(successHandler());
    return filter;
}

@Bean
SimpleUrlAuthenticationSuccessHandler successHandler() {
    final SimpleUrlAuthenticationSuccessHandler successHandler = new SimpleUrlAuthenticationSuccessHandler();
    successHandler.setRedirectStrategy((HttpServletRequest request, HttpServletResponse response, String url) -> {
        // no redirection strategy
    });
    return successHandler;
}

/**
 * Disable Spring boot automatic filter registration.
 */
@Bean
FilterRegistrationBean disableAutoRegistration(final TokenAuthenticationFilter filter) {
    final FilterRegistrationBean registration = new FilterRegistrationBean(filter);
    registration.setEnabled(false);
    return registration;
}

@Bean
AuthenticationEntryPoint forbiddenEntryPoint() {
    return new HttpStatusEntryPoint(FORBIDDEN);
}

语境:

令牌认证过滤器抛出 BadCredentialsException,以防令牌不符合预期。

预期行为:

spring 链将捕获此错误并将 401 错误返回给用户。

当前行为:

服务器因 500 错误而崩溃。spring security 不处理该错误。

标签: javaspringspring-securityjwt

解决方案

推荐阅读