UserDetailsService异常处理

Question

我在Security中有一个关于异常处理的问题。

我定义了一个CustomUserDetailsService，它有时(当SM_USER头中的值为false)应该抛出一个异常。

public class CustomUserDetailsService implements UserDetailsService {   

@Override
public UserDetails loadUserByUsername(String smHeaderValue)   throws UsernameNotFoundException {                

    ... throw new UsernameNotFoundException("wrong value of the sm Header");        
    ...
}

在这种情况下，我希望抛出一个Http状态代码403 (AccessDenied)，但是Security总是显示500。并且无法显示标准(对于我的软件)异常表示。我认为异常解决程序可以帮助我。但据我所知，标准异常解析器不适合SpringSecurity，其范围仅限于Spring。

@ControllerAdvice

公共类ExceptionResolver扩展AbstractHandlerExceptionResolver{

@Override
protected ModelAndView doResolveException(HttpServletRequest request,
        HttpServletResponse responce, Object handler, Exception exception) {

    ModelAndView toReturn = new ModelAndView();
    toReturn.setView(new MappingJackson2JsonView());
    toReturn.addObject("message", exception.getMessage());
    toReturn.addObject("exceptionClass", exception.getClass().getCanonicalName());

    HttpStatus exceptionStatus = getStatus(exception);
    responce.setStatus(exceptionStatus.value());        
    return toReturn;
}

private HttpStatus getStatus(Exception exception){

    if (exception instanceof UsernameNotFoundException)
        return HttpStatus.FORBIDDEN;        
    return HttpStatus.BAD_REQUEST;
}   
}

有办法解决UserDetailsService的例外吗？

更新

15:42:37,948 DEBUG qtp1052330967-15 security.DelegateRequestMatchingFilter:137 - preAuthenticatedPrincipal = dhdg, trying to authenticate
15:42:37,950  INFO qtp1052330967-15 security.CustomUserDetailsService:57 - looking for authorities for sm header value: [dhdg]
15:42:37,989 DEBUG qtp1052330967-15 security.DelegateRequestMatchingFilter:225 - Cleared security context due to exception
org.springframework.security.core.userdetails.UsernameNotFoundException: there is no opened sessions with this sm user header value
    at de.escosautomation.restserver.security.CustomUserDetailsService.loadUserByUsername(CustomUserDetailsService.java:73)
    at org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper.loadUserDetails(UserDetailsByNameServiceWrapper.java:53)
    at org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider.authenticate(PreAuthenticatedAuthenticationProvider.java:87)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doAuthenticate(AbstractPreAuthenticatedProcessingFilter.java:145)
    at org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter.doFilter(AbstractPreAuthenticatedProcessingFilter.java:113)
    at de.escosautomation.restserver.security.DelegateRequestMatchingFilter.doFilter(DelegateRequestMatchingFilter.java:51)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:497)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
    at java.lang.Thread.run(Thread.java:745)

Answer 1

我想我知道这里出了什么问题。由于您使用了PreAuthenticatedAuthenticationProvider，所以并不真正处理UsernameNotFoundException。这是因为在典型的预验证环境中，已经验证了用户的存在。

相反，您应该返回状态禁用或锁定的UserDetails对象。

如果根本无法读取用户信息，则可以抛出一个AuthenticationServiceException。

Answer 2

您要问的是Spring安全配置，通常当我们想要更改Http错误代码时，我们会根据需要实现自己的身份验证-失败处理程序和身份验证-成功处理程序，然后指向类似于下面这样的bean：

 <form-login
     authentication-success-handler-ref="mySuccessHandler"
     authentication-failure-handler-ref="myFailureHandler"
  />

 <beans:bean id="mySuccessHandler"
   class="org.rest.security.MySavedRequestAwareAuthenticationSuccessHandler"/>
   <beans:bean id="myFailureHandler" class=
  "org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/>

为你的另一个疑问

“我认为异常解析器可以帮助我。但据我所知，标准异常解析器不适合SpringSecurity，其范围仅为Spring。”

我们应该在自定义UserDetailsService实现中抛出异常，以打破身份验证链，并让Security知道用户提供的凭据(例如示例)不匹配。

如果我漏掉了什么要解释的，请告诉我。我希望这会有帮助，是的

乐此不疲