英文:
difference between EntryPoint and handler in Spring Security
问题
在Spring Security中,当涉及到身份验证时,会发生AuthenticationExeption
,我知道像重定向这样的逻辑是通过AuthenticationEntryPoint
执行的。而Authorization exception
会抛出AccessDeniedException
,然后由AccessDeniedHandler
来处理。
然而,这两者都是负责处理特定异常逻辑的对象,所以我不知道为什么它们被创建为具有不同名称的对象,一个是EntryPoint,一个是Handler。在继承EntryPoint时要重写的函数和在继承Handler时要实现的函数甚至是相同形式的。
public interface AuthenticationEntryPoint {
void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException;
}
public interface AccessDeniedHandler {
void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException;
}
为什么Spring Security不使用一个名为handler
的单一对象来处理异常,而是要使用单独的EntryPoint对象呢?我对这两者之间的区别很好奇。
英文:
In Spring Security, when it comes to authentication, AuthenticationExeption
occurs, and I know that logic such as redirection is performed through AuthenticationEntryPoint
. And Authorization exception
throws AccessDeniedException
and AccessDeniedHandler
handles it.
However, both of these are objects that are responsible for processing logic for specific exceptions, so I don't know why they are created as objects with different names, EntryPoint and Handler. The function to override when inheriting EntryPoint and the function to implement when inheriting Handler are even the same form.
public interface AuthenticationEntryPoint {
void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException;
}
public interface AccessDeniedHandler {
void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException;
}
Why does Spring Security not handle exceptions with a single object called handler, but separate Entrypoint objects? I'm curious about the difference between the two.
答案1
得分: 1
两种不同的用途有两个不同的名称:
- 入口点(entrypoint):如果您未登录(身份验证)
- 拒绝访问(access denied):如果您没有权限访问资源(授权)
请参阅 Spring Security 参考文档:
> 处理安全异常
>
> ExceptionTranslationFilter
允许将 AccessDeniedException
和 AuthenticationException
转换为 HTTP 响应。
>
> ExceptionTranslationFilter
被插入到 FilterChainProxy 中作为安全过滤器之一。
>
> 以下图像显示了 ExceptionTranslationFilter
与其他组件的关系:
>
>
>
> 1. 首先,ExceptionTranslationFilter
调用 FilterChain.doFilter(request, response)
来调用应用程序的其余部分。
>
> 2. 如果用户未经过身份验证或者出现 AuthenticationException
,则开始身份验证。
>
> - SecurityContextHolder 被清除。
>
> - HttpServletRequest 被保存,以便在身份验证成功后重播原始请求。
>
> - 使用 AuthenticationEntryPoint
从客户端请求凭据。例如,它可以重定向到登录页面或发送 WWW-Authenticate
头部。
>
> 3. 否则,如果出现 AccessDeniedException
,则拒绝访问。会调用 AccessDeniedHandler
来处理拒绝访问情况。
>
> 如果应用程序没有抛出 AccessDeniedException
或 AuthenticationException
,则 ExceptionTranslationFilter
不会执行任何操作。
英文:
Two different names for two different uses cases:
- entrypoint: if you are not logged in (authentication)
- access denied: if you are not allowed to access a ressource (authorization)
See Spring Security Reference:
> Handling Security Exceptions
>
> The ExceptionTranslationFilter
allows translation of AccessDeniedException
and AuthenticationException
into HTTP responses.
>
> ExceptionTranslationFilter
is inserted into the FilterChainProxy as one of the Security Filters.
>
> The following image shows the relationship of ExceptionTranslationFilter
to other components:
>
>
>
> 1. First, the ExceptionTranslationFilter
invokes FilterChain.doFilter(request, response)
to invoke the rest of the application.
>
> 2. If the user is not authenticated or it is an AuthenticationException
, then Start Authentication.
>
> - The SecurityContextHolder is cleared out.
>
> - The HttpServletRequest
is saved so that it can be used to replay the original request once authentication is successful.
>
> - The AuthenticationEntryPoint
is used to request credentials from the client. For example, it might redirect to a log in page or send a WWW-Authenticate
header.
>
> 3. Otherwise, if it is an AccessDeniedException
, then Access Denied. The AccessDeniedHandler
is invoked to handle access denied.
>
> If the application does not throw an AccessDeniedException
or an AuthenticationException
, then ExceptionTranslationFilter
does not do anything.
答案2
得分: 1
EntryPoint (AuthenticationEntryPoint
) 处理身份验证异常,而 Handler (AccessDeniedHandler
) 处理授权异常。
我认为这更多是关于接口的粒度的代码设计决策,作者决定使用更细粒度的接口,以便更符合单一责任原则(SRP),因为身份验证和授权确实是完全不同的事情。
英文:
EntryPoint (AuthenticationEntryPoint
) handles authentication exception and Handler (AccessDeniedHandler
) handles authorisation exception.
I think it is more a code design decision about the granularity of the interface, and the author decided to have a more fine-grained interface such that it is more SRP as authentication and authorisation are really different things.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论