EntryPoint 和 Spring Security 中的 handler 之间的区别

huangapple go评论62阅读模式
英文:

difference between EntryPoint and handler in Spring Security

问题

在Spring Security中,当涉及到身份验证时,会发生AuthenticationExeption,我知道像重定向这样的逻辑是通过AuthenticationEntryPoint执行的。而Authorization exception会抛出AccessDeniedException,然后由AccessDeniedHandler来处理。

然而,这两者都是负责处理特定异常逻辑的对象,所以我不知道为什么它们被创建为具有不同名称的对象,一个是EntryPoint,一个是Handler。在继承EntryPoint时要重写的函数和在继承Handler时要实现的函数甚至是相同形式的。

public interface AuthenticationEntryPoint {

	void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
			throws IOException, ServletException;

}


public interface AccessDeniedHandler {

	void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
			throws IOException, ServletException;

}

为什么Spring Security不使用一个名为handler的单一对象来处理异常,而是要使用单独的EntryPoint对象呢?我对这两者之间的区别很好奇。

英文:

In Spring Security, when it comes to authentication, AuthenticationExeption occurs, and I know that logic such as redirection is performed through AuthenticationEntryPoint. And Authorization exception throws AccessDeniedException and AccessDeniedHandler handles it.

However, both of these are objects that are responsible for processing logic for specific exceptions, so I don't know why they are created as objects with different names, EntryPoint and Handler. The function to override when inheriting EntryPoint and the function to implement when inheriting Handler are even the same form.

public interface AuthenticationEntryPoint {

void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
		throws IOException, ServletException;

}

public interface AccessDeniedHandler {

void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
		throws IOException, ServletException;

}

Why does Spring Security not handle exceptions with a single object called handler, but separate Entrypoint objects? I'm curious about the difference between the two.

答案1

得分: 1

两种不同的用途有两个不同的名称:

  • 入口点(entrypoint):如果您未登录(身份验证)
  • 拒绝访问(access denied):如果您没有权限访问资源(授权)

请参阅 Spring Security 参考文档

> 处理安全异常
>
> ExceptionTranslationFilter 允许将 AccessDeniedExceptionAuthenticationException 转换为 HTTP 响应。
>
> ExceptionTranslationFilter 被插入到 FilterChainProxy 中作为安全过滤器之一。
>
> 以下图像显示了 ExceptionTranslationFilter 与其他组件的关系:
>
> EntryPoint 和 Spring Security 中的 handler 之间的区别
>
> 1. 首先,ExceptionTranslationFilter 调用 FilterChain.doFilter(request, response) 来调用应用程序的其余部分。
>
> 2. 如果用户未经过身份验证或者出现 AuthenticationException,则开始身份验证。
>
> - SecurityContextHolder 被清除。
>
> - HttpServletRequest 被保存,以便在身份验证成功后重播原始请求。
>
> - 使用 AuthenticationEntryPoint 从客户端请求凭据。例如,它可以重定向到登录页面或发送 WWW-Authenticate 头部。
>
> 3. 否则,如果出现 AccessDeniedException,则拒绝访问。会调用 AccessDeniedHandler 来处理拒绝访问情况。
>
> 如果应用程序没有抛出 AccessDeniedExceptionAuthenticationException,则 ExceptionTranslationFilter 不会执行任何操作。

英文:

Two different names for two different uses cases:

  • entrypoint: if you are not logged in (authentication)
  • access denied: if you are not allowed to access a ressource (authorization)

See Spring Security Reference:

> Handling Security Exceptions
>
> The ExceptionTranslationFilter allows translation of AccessDeniedException and AuthenticationException into HTTP responses.
>
> ExceptionTranslationFilter is inserted into the FilterChainProxy as one of the Security Filters.
>
> The following image shows the relationship of ExceptionTranslationFilter to other components:
>
> EntryPoint 和 Spring Security 中的 handler 之间的区别
>
> 1. First, the ExceptionTranslationFilter invokes FilterChain.doFilter(request, response) to invoke the rest of the application.
>
> 2. If the user is not authenticated or it is an AuthenticationException, then Start Authentication.
>
> - The SecurityContextHolder is cleared out.
>
> - The HttpServletRequest is saved so that it can be used to replay the original request once authentication is successful.
>
> - The AuthenticationEntryPoint is used to request credentials from the client. For example, it might redirect to a log in page or send a WWW-Authenticate header.
>
> 3. Otherwise, if it is an AccessDeniedException, then Access Denied. The AccessDeniedHandler is invoked to handle access denied.
>
> If the application does not throw an AccessDeniedException or an AuthenticationException, then ExceptionTranslationFilter does not do anything.

答案2

得分: 1

EntryPoint (AuthenticationEntryPoint) 处理身份验证异常,而 Handler (AccessDeniedHandler) 处理授权异常。

我认为这更多是关于接口的粒度的代码设计决策,作者决定使用更细粒度的接口,以便更符合单一责任原则(SRP),因为身份验证和授权确实是完全不同的事情。

英文:

EntryPoint (AuthenticationEntryPoint) handles authentication exception and Handler (AccessDeniedHandler) handles authorisation exception.

I think it is more a code design decision about the granularity of the interface, and the author decided to have a more fine-grained interface such that it is more SRP as authentication and authorisation are really different things.

huangapple
  • 本文由 发表于 2023年5月28日 09:54:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/76349670.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定