我是 Spring Security 的新手。我面临一个问题,当身份验证因特定原因失败时,我需要在登录页面上显示错误。
此外,我正在根据对配置的 URL 的 Web 服务调用对用户进行身份验证。下面是我的配置,我也配置了authentication-failure-handler-ref
<security:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsp">
<security:form-login login-page="/login.jsp" authentication-failure-handler-ref="authenticationFailureHandler"
default-target-url="/jsp/home" />
<security:intercept-url pattern="/login.jsp"
access="permitAll" />
<security:intercept-url pattern="/jsp/home"
access="permitAll" />
<security:intercept-url pattern="/jsp/*"
access="isAuthenticated()" />
<security:logout logout-url="/j_spring_security_logout" logout-success-url="/login.jsp?logout=success"
invalidate-session="true" />
</security:http>
<bean id="ldapAuthenticationProvider" class="com.on.transport.authentication.MyAuthenticationProvider">
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref='ldapAuthenticationProvider'/>
</security:authentication-manager>
<bean id="customUserDetailsService" class="com.service.CustomUserDetailsService">
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<property name="exceptionMappings">
<props>
<prop key="org.springframework.security.authentication.BadCredentialsException">/errorPage.jsp?login_error=1</prop>
<prop key="org.springframework.security.authentication.CredentialsExpiredException">/login.jsp?status=2</prop>
<prop key="org.springframework.security.authentication.LockedException">/login.jsp?status=3</prop>
<prop key="org.springframework.security.authentication.DisabledException">/login.jsp?status=4</prop>
</props>
</property>
</bean>
当我像下面这样写“ authentication-failure-url”时,一切正常,
<security:http ......>
<security:form-login login-page="/login.jsp"
default-target-url="/jsp/home" authentication-failure-url="/login.jsp?status=1" />
............
</security:http>
但我需要以一种可以检查不同类型异常的方式进行配置。
身份验证提供者
public class MyAuthenticationProvider implements AuthenticationProvider {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
UsernamePasswordAuthenticationToken auth = (UsernamePasswordAuthenticationToken) authentication;
String username = auth.getName();
String password = (String)auth.getCredentials();
UserUpdated user = null;
int status=0;
try{
status = webservice.authenticate(username, password);
//webservice is object one is used to authenticate
if(status==1){
List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();
if(username!=null && (username.equals("test") || username.equals("jp@on.com"))){
grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
}else{
grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_USER"));
}
return new UsernamePasswordAuthenticationToken(username, null, grantedAuthoritiesList);
}else if(status==2){
throw new BadCredentialsException("Incorrect Email Id or Password.");
}
}catch (Exception e) {
e.printStackTrace();
}
return null;
}
@Override
public boolean supports(Class<? extends Object> authentication) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
}
我收到错误消息:
HTTP Status 401 - Authentication Failed: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
相反,我需要使用错误消息重定向到登录页面。
我可以看到日志为
org.springframework.security.authentication.BadCredentialsException: Incorrect Email Id or Password
at com.on.transport.authentication.MyAuthenticationProvider.authenticate(MyAuthenticationProvider.java:98)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
[AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication] - Authentication request failed: org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
2013-09-07 13:05:42,685 DEBUG http-8080-2 [AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication] - Updated SecurityContextHolder to contain null Authentication
2013-09-07 13:05:42,686 DEBUG http-8080-2 [AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication] - Delegating to authentication failure handler org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler@3aabc1
2013-09-07 13:05:42,686 DEBUG http-8080-2 [SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure] - No failure URL set, sending 401 Unauthorized error
2013-09-07 13:05:42,686 DEBUG http-8080-2 [HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2013-09-07 13:05:42,687 DEBUG http-8080-2 [SecurityContextPersistenceFilter.doFilter] - SecurityContextHolder now cleared, as request processing completed
请帮助我确定我缺少什么。