在我的Spring Boot (v. 2.7.0)应用程序中,我使用Spring Security进行身份验证。如果用户试图使用无效凭据登录,服务器将响应403(禁止)状态码,但我希望使用401(未授权)来代替。
我在我的配置中找不到任何表明Spring Security的默认行为已被覆盖的内容,但无论是否有,我希望在身份验证失败时返回401。
我通过了相关的Spring Security代码,它出现了Spring Security当鉴权失败时,调用SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure
方法。这个方法包括
response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
但是由于某种原因403返回给客户端-所以我猜响应在上面的行之后被更改了。
当身份验证失败时,我如何更改Spring Security返回401 ?我在下面附上了我的安全配置以供参考。
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true, jsr250Enabled = true)
public class SecurityConfiguration {
@Autowired
private AuthenticationConfiguration authenticationConfiguration;
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = authenticationConfiguration.getAuthenticationManager();
var jwtAuthenticationFilter = new JwtAuthenticationFilter(authenticationManager);
var jwtAuthorisationFilter = new JwtAuthorisationFilter();
http.cors().and().csrf().disable().authorizeRequests()
.anyRequest().authenticated().and()
.addFilter(jwtAuthenticationFilter)
.addFilterAfter(jwtAuthorisationFilter, BasicAuthenticationFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return http.build();
}
}
JwtAuthenticationFilter
调用authenticationManager.authenticate
,如果凭据无效,则引发org.springframework.security.authentication.BadCredentialsException
。
更新我尝试添加本文中描述的自定义AuthenticationFailureHandler
bean,但是我的自定义bean从未被调用(而是调用默认beanSimpleUrlAuthenticationFailureHandler
)。
您可以提供您自己的自定义AccessDeniedHandler
实现。
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
AuthenticationManager authenticationManager = authenticationConfiguration.getAuthenticationManager();
var jwtAuthenticationFilter = new JwtAuthenticationFilter(authenticationManager);
var jwtAuthorisationFilter = new JwtAuthorisationFilter();
http.cors().and().csrf().disable().authorizeRequests()
.anyRequest().authenticated().and()
.addFilter(jwtAuthenticationFilter)
.addFilterAfter(jwtAuthorisationFilter, BasicAuthenticationFilter.class)
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.accessDeniedHandler( (request, response, exception) ->
response.sendError(HttpStatus.UNAUTHORIZED.value(), exception.getMessage()
));
return http.build();
}