0

我正在使用华夫饼 1.7 + spring 4 + spring security 3.2 + thymeleaf。我的问题是,当回退表单日志记录失败时,我无法提供自定义错误页面。这是我的配置: @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/**") .authenticated() .and() .exceptionHandling() .authenticationEntryPoint(negotiateSecurityFilterEntryPoint()) .accessDeniedPage("/access-denied") .and() .addFilterBefore(waffleNegotiateSecurityFilter(), BasicAuthenticationFilter.class); }

当用户在关闭 SNPENGO 的情况下使用浏览器并输入错误的凭据时,会出现默认的系统 500 页面,其中包含以下信息:

com.sun.jna.platform.win32.Win32Exception: The logon attempt failed. waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:134) waffle.servlet.spi.NegotiateSecurityFilterProvider.doFilter(NegotiateSecurityFilterProvider.java:103) waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:130) ...

如何提供我的自定义页面(access-denied.html thymeleaf 模板)?到目前为止,我已经尝试了http://spring.io/blog/2013/11/01/exception-handling-in-spring-mvc中的所有内容,但没有成功。

4

2 回答 2

1

您可以尝试创建一个DelegatingNegotiateSecurityFilter并设置一个AuthenticationFailureHandler.

DelegatingNegotiateSecurityFilterbean配置示例:

<bean id="waffleNegotiateSecurityFilter"
    class="waffle.spring.DelegatingNegotiateSecurityFilter"
    >
    <property name="allowGuestLogin" value="false" />
    <property name="Provider" ref="waffleSecurityFilterProviderCollection" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    <property name="defaultGrantedAuthority">
        <null />
    </property>
</bean>
  • AuthenticationManager允许服务提供者授权委托人。
  • authenticationSuccessHandler允许服务提供者进一步填充Authentication对象。
  • 如果AuthenticationFailureHandlerAuthenticationManager 抛出AuthenticationException.
  • 如果AccessDeniedHandlerAuthenticationManager 抛出AccessDeniedException.

我希望这有帮助 ...

于 2016-10-26T21:22:11.753 回答
0

在深入研究 Spring 文档并跟踪实际上是什么华夫饼之后,我已经能够以以下“丑陋”的方式解决它。1. 禁用 /access-denied 页面的安全性以防止无休止的重定向循环 2. 包装 waffle 过滤器以捕获所有异常并重定向它

有没有人有更好的解决方案?

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/access-denied")
            .permitAll()
            .and()
            .authorizeRequests()
            .antMatchers("/**")
            .authenticated()
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(negotiateSecurityFilterEntryPoint())
            .accessDeniedPage("/access-denied")
            .and()
            .addFilterBefore(waffleNegotiateSecurityFilter(),
                    BasicAuthenticationFilter.class);
}

public class WaffleWrapperSecurityBean extends GenericFilterBean {
    @NotNull
    private final GenericFilterBean wrappedFilter;
    public WaffleWrapperSecurityBean(GenericFilterBean filter) {
        wrappedFilter = filter;
    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        try {
            wrappedFilter.doFilter(request, response, chain);
        } catch (Exception e) {
            ((HttpServletResponse) response)
                    .sendRedirect("access-denied?message="
                            + e.getLocalizedMessage());
        }
    }
    @Override
    public void destroy() {
        wrappedFilter.destroy();
    }
}
// controller code ommited
于 2014-10-29T12:36:51.980 回答