我们有一个使用
spring boot构建的Web应用程序,我们使用spring security来管理身份验证.现在使用基本模式进行身份验证.
我们使用UserDetailsService来处理身份验证.当我们使用嵌入式tomcat直接从STS运行应用程序时,当用户不是enabled时,我们收到以下错误,状态码为401.
{"timestamp":1485512173312,"status":401,"error":"Unauthorized","message":"User is disabled","path":"/trex/user"}
但是,当我将应用程序打包成战争并将其部署到Tomcat时,我们不再收到json错误.相反,我们收到类似于以下的html错误.
<html><head><title>Apache Tomcat/7.0.75 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - User is disabled</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>User is disabled</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.75</h3></body></html>
是否可以停止处理标准错误代码并让json数据按原样返回?
编辑:
Spring安全配置
/**
* Security configuration. Defines configuration methods and security
* constraints. Autowired bean definitions can be found in {@link AuthAppConfig}
*
*
*/
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
Logger logger = LoggerFactory.getLogger(getClass());
/*userDetailsService
* @Autowired TRexUserDetailsService customAuthenticationEntryPoint;
*
*/
@Autowired
TRexUserDetailsService userDetailsService;
@Autowired
private AmazonProperties amazonProperties;
/**
* Configuration related to authentication and authorization
*
* @param http
* @throws Exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
AuthenticationEntryPoint entryPoint = new CustomAuthenticationEntryPoint();
LogoutHandler myLogoutHandler = new MyLogoutSuccessHandler();
logger.info("Configuring the security of the application");
http
// Basic Authentication
.httpBasic().authenticationEntryPoint(entryPoint)
.and().authorizeRequests()
// Allowing index.html, login.html and / and
// resetforgotpassword.html and all forgot user mappings since
// we are using 2 way handshake for this purpose
.antMatchers("/activate/user","/activate/token/**"
,"/validate","/validateEmail","/user/resetpassword/**","/user/forgotpassword"
,"/admin/masters/*.js","/admin/modeller/*.js", "/login.html", "/index.html","/activateuser.html","/savepassword.html","/forgotpassword.html","/","/lib/**"
,"/directives/paginated-control.js"
, "/expense/js/summary.js"
,"/travel/js/directive/uploadDirecetive.js"
,"/travel/js/travelData.js"
,"/travel/js/summary.js"
,"/directives/paginated-control.js"
,"/loginform.html"
,"/infoDirective.html"
)
.permitAll()
// Admin ADMIN,
.antMatchers("/admin/**").access("hasRole('ADMIN')")
// Allow SA
.antMatchers("/SA/**").access("hasRole('SUPER')")
//Allow REPORTS
.antMatchers("/reports/**").access("hasRole('REPORT')")
// All other requests are to be authenticated.
.anyRequest().authenticated().and()
// Filter to prevent CSRF attacks.
.addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf()
// Used to check which requests are to be checked for csrf
// protection
.requireCsrfProtectionMatcher(new CsrfRequestMatcher())
// Add the renamed CSRF token header repository
.csrfTokenRepository(csrfTokenRepository())
.and()
// Configuration for /logout
.logout()
// Logout requires form submit. Bypassing the same.
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/#/login")
.addLogoutHandler(myLogoutHandler)
//Session management to store session registry
.and().sessionManagement()
.maximumSessions(100)
.maxSessionsPreventsLogin(false)
.expiredUrl("/#/login")
.sessionRegistry(sessionRegistry());
}
/**
* Session Registry to store sessions
* @return
*/
@Bean
SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
/**
* Session event publisher.
* @return
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
/**
* This method specifies that the header name to be used is XSRF token
* instead of the default CSRF cause Angular names the token as XSRF instead
* of CSRF
*
* @return
*/
private CsrfTokenRepository csrfTokenRepository() {
logger.info("Configuring the CSRF token name as XSRF-TOKEN");
HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
repository.setHeaderName("X-XSRF-TOKEN");
return repository;
}
/**
* Configuration for Custom Authentication
*
* @param auth
* @throws Exception
*/
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth, BCryptPasswordEncoder passwordEncoder)
throws Exception {
logger.info("Configuring the authentication to custom User Details Service");
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
logger.info("Configuring the authentication to custom User Details Service");
}
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
// TODO Auto-generated method stub
return super.authenticationManagerBean();
}
@Bean
public AuthenticationEntryPoint authenticationEntryPoint() throws Exception {
BasicAuthenticationEntryPoint entryPoint = new CustomAuthenticationEntryPoint();
entryPoint.setRealmName("Spring");
return entryPoint;
}
}
最佳答案 您应该能够在CustomAuthenticationEntryPoint中修复此问题.请参阅此
answer,了解如何避免Tomcat的默认错误页面.
假设您的自定义EntryPoint是BasicAuthenticationEntryPoint的扩展(如bean所示),请参阅此处:
org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java/#59
你需要更换:
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
有:
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
