如何在使用SimpleUrlAuthenticationFailureHandler时保留响应的HTTP状态?

huangapple go评论69阅读模式
英文:

How to preserve HTTP Status for response when using SimpleUrlAuthenticationFailureHandler?

问题

在Spring Boot应用程序中使用Spring Security 6,我想使用SimpleUrlAuthenticationFailureHandler并将HTTP状态码设置为401

public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(
            HttpServletRequest request,
            HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {

        /* 应该让XHR请求更容易区分成功和失败。 */
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

        super.setDefaultFailureUrl(LOGIN_FAILURE_URL);
        super.onAuthenticationFailure(request, response, exception);
    }
}

不幸的是,在onAuthenticationFailure方法中设置的状态代码未传递到LOGIN_FAILURE_URL端点。相反,状态代码被设置为200

是否有一种方法可以在整个周期内保留一旦设置的HTTP状态代码?

非常感谢您的任何帮助

英文:

In a Spring Boot application with Spring Security 6 I wanna use a SimpleUrlAuthenticationFailureHandler and set the HTTP Staus Code to 401:

public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(
            HttpServletRequest request,
            HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {

        /* Should make it easier for XHR requests to distinguish between success and failure. */
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

        super.setDefaultFailureUrl(LOGIN_FAILURE_URL);
        super.onAuthenticationFailure(request, response, exception);
    }
}

Unfortunately the status code set in the onAuthenticationFailure method doesn't make it to the LOGIN_FAILURE_URL endpoint. Instead, the status code gets being set to 200.

Is there a way to preserve the HTTP Status Code during the whole cycle, once being set?

<b>Many thanks for any help</b>

答案1

得分: 1

我猜这是因为默认情况下,SimpleUrlAuthenticationFailureHandler 会发送一个HTTP重定向请求到失败的URL。这是一个新的HTTP请求,因此你在之前请求的响应中配置的HTTP状态码将不会被保留。

所以尝试配置CustomAuthenticationFailureHandler 来转发请求到失败的URL,而不是进行HTTP重定向:

public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(
            HttpServletRequest request,
            HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {

        /* 应该使XHR请求更容易区分成功和失败。 */
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        super.setUseForward(true);
        super.setDefaultFailureUrl(LOGIN_FAILURE_URL);
        super.onAuthenticationFailure(request, response, exception);
    }
}
英文:

I guess it is because by default SimpleUrlAuthenticationFailureHandler sends a HTTP redirect request to the failure URL . It is a new HTTP request and hence the HTTP status code you configured in the previous request 's response will not be preserved.

So try to configure CustomAuthenticationFailureHandler to forward the request to the failure URL rather than a HTTP redirect by :

public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(
            HttpServletRequest request,
            HttpServletResponse response,
            AuthenticationException exception) throws IOException, ServletException {

        /* Should make it easier for XHR requests to distinguish between success and failure. */
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        super.setUseForward(true);
        super.setDefaultFailureUrl(LOGIN_FAILURE_URL);
        super.onAuthenticationFailure(request, response, exception);
    }
}

huangapple
  • 本文由 发表于 2023年6月11日 23:05:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76451086.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定