我已经为这个问题绞尽脑汁好几天了。背景故事是,我在安全方面使用带有 spring-boot-starter-security 依赖项的 Spring Boot。我正在尝试构建一个只应使用 JSON(或 XML,如果我也决定实现的话)进行回复的 REST Web 服务。我可以返回资源并且我的 URI 工作正常,所以没有问题。我什至在安全性上进行了 json 对象身份验证。
这就是我的问题。当未经授权的用户尝试访问受限资源时,Spring Security 会提供登录页面 (HTML)。这是有问题的。我只是希望它返回 401 以及我选择的可能的 JSON 错误对象。与成功登录相同。我不想让它重定向。尤其不是预制的 HTML 页面。
我查阅了教程,每个人都提到使用 AuthenticationEntryPoint 等来控制流程。但!我没有那个。显然 HttpSecurity 类不再存在该方法。有人有答案吗?这是相关代码,如果您需要,我会提供更多。
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
private JsonAuthenticationFilter authFilter;
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
authFilter = new JsonAuthenticationFilter();
authFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/login","POST"));
authFilter.setAuthenticationManager(this.authenticationManagerBean());
httpSecurity
.addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class)
.csrf()
.disable()
.formLogin()
.permitAll()
.loginProcessingUrl("/login")
.failureUrl("/error")
.usernameParameter("username")
.passwordParameter("password")
.and()
.logout()
.permitAll()
.logoutUrl("/logout")
.and()
.authorizeRequests()
.antMatchers("/", "/version")
.permitAll()
.and()
.authorizeRequests()
.anyRequest()
.authenticated();
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
}
以及 Maven 依赖项...
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.2.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-hateoas</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.restdocs</groupId>
<artifactId>spring-restdocs-mockmvc</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>com.datastax.cassandra</groupId>
<artifactId>cassandra-driver-mapping</artifactId>
</dependency>
</dependencies>
最佳答案
When an un-authorized user tries to access a restricted resource, Spring Security delivers a login page (HTML). This is problematic. I just want it to return a 401 and possibly a JSON error object of my choosing
如果您不需要表单登录,只需在SecurityConfiguration中禁用它即可。为此,请替换此配置:
formLogin()
.permitAll()
.loginProcessingUrl("/login")
.failureUrl("/error")
.usernameParameter("username")
.passwordParameter("password")
与:
formLogin()
.disable();
或者您可以直接丢弃 formLogin 部分。
BUT! I don't have that. Apparently that method doesn't exist anymore for HttpSecurity class. Anyone have the answer?
它位于exceptionHandling下:
http.exceptionHandling()
.authenticationEntryPoint(yourEntryPoint)
关于java - Spring Boot 安全登录 (v4),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35435716/