Spring Boot and Spring Security, can't send error with custom message in AuthenticationEntryPoint

huangapple
go评论58阅读模式
英文:

Spring Boot and Spring Security, can't send error with custom message in AuthenticationEntryPoint

问题

这是您提供的代码段的翻译:

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {

    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);
    
    @Override
    public void commence(HttpServletRequest httpServletRequest,
                         HttpServletResponse httpServletResponse,
                         AuthenticationException e) throws IOException, ServletException {
        logger.error("Responding with unauthorized error. Message - {}", e.getMessage());
        httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
    }
}

以及与安全配置相关的部分:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
        securedEnabled = true,
        jsr250Enabled = true,
        prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter { 
   ...

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .exceptionHandling()
                    .authenticationEntryPoint(unauthorizedHandler)
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.GET, "/api/**").permitAll()
                    .antMatchers(HttpMethod.POST, "/api/auth/**").permitAll()
                    .antMatchers(HttpMethod.GET, "/api/users/checkUsernameAvailability", "/api/users/checkEmailAvailability").permitAll()
                .anyRequest().authenticated();

        http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    }
    ...
}

问题是,当我使用错误的凭据登录时,错误消息为空。

{
    "timestamp": "2020-09-03T17:16:28.082+00:00",
    "status": 401,
    "error": "Unauthorized",
    "message": "",
    "path": "/api/auth/signin"
}

然而,记录器却打印出了正确的消息。

c.m.p.s.JwtAuthenticationEntryPoint      : Responding with unauthorized error. Message - Bad credentials

这里可能出了什么问题?提前谢谢您。

英文:

I'm working on a restful api using spring boot, and going to use a custom authenticationEntryPoint. Here is the code

@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {

    private static final Logger logger = LoggerFactory.getLogger(JwtAuthenticationEntryPoint.class);
    @Override
    public void commence(HttpServletRequest httpServletRequest,
                         HttpServletResponse httpServletResponse,
                         AuthenticationException e) throws IOException, ServletException {
        logger.error("Responding with unauthorized error. Message - {}", e.getMessage());
        httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, e.getMessage());
    }
}

And the related part in Security configuration.

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
        securedEnabled = true,
        jsr250Enabled = true,
        prePostEnabled = true
)
public class SecurityConfig extends WebSecurityConfigurerAdapter { 
   ...

    @Autowired
    private JwtAuthenticationEntryPoint unauthorizedHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .exceptionHandling()
                    .authenticationEntryPoint(unauthorizedHandler)
                    .and()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.GET, "/api/**").permitAll()
                    .antMatchers(HttpMethod.POST, "/api/auth/**").permitAll()
                    .antMatchers(HttpMethod.GET, "/api/users/checkUsernameAvailability", "/api/users/checkEmailAvailability").permitAll()
                .anyRequest().authenticated();

        http.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
    }
    ...
}

The problem is, when I log in with a wrong credential, the error message is empty.

{
    "timestamp": "2020-09-03T17:16:28.082+00:00",
    "status": 401,
    "error": "Unauthorized",
    "message": "",
    "path": "/api/auth/signin"
}

However, the logger prints correct message

c.m.p.s.JwtAuthenticationEntryPoint      : Responding with unauthorized error. Message - Bad credentials

What may go wrong here? Thank you in advance.

答案1

得分: 11

默认值为server.error.include-message"never"
因此,您只需要像这样配置您的application.yaml(或properties)

server:
  error:
    include-message: always
    include-binding-errors: always
英文:

Default value for server.error.include-message is "never".

Therefore, you just need to configure your application.yaml (or properties) like this

server:
  error:
    include-message: always
    include-binding-errors: always

huangapple
  • 本文由 发表于 2020年9月4日 03:28:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/63730436.html
  • java
  • spring
  • spring-boot
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定