【问题标题】:Spring boot UserNotFound messageSpring Boot UserNotFound 消息
【发布时间】:2021-11-12 23:17:12
【问题描述】:

我正在尝试在 Spring Boot (2.5.3) 中进行基本身份验证,并在 DB 中找不到用户时调用 UserNotFoundException。

@Override
public User findByUserName(String username){

    try {

        return (User) template.queryForObject("SELECT * FROM USERS WHERE email = ?",
                new BeanPropertyRowMapper(User.class), username);

    } catch (EmptyResultDataAccessException e) {
        throw new UsernameNotFoundException("User not found");
    }
}

但结果我收到消息“凭证错误”。我的异常已被 BadCredential Exception 更改。

public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {

private ObjectMapper objectMapper = new ObjectMapper();

@Override
public void onAuthenticationFailure(
        HttpServletRequest request,
        HttpServletResponse response,
        AuthenticationException ex) throws IOException, ServletException {

    response.setStatus(HttpStatus.UNAUTHORIZED.value());
    //HttpStatus.FORBIDDEN
    Map<String, Object> data = new HashMap<>();
    data.put(
            "timestamp",
            Calendar.getInstance().getTime());
    data.put(
            "exception",
            ex.getMessage());

    System.out.println(ex.getClass());

    response.getOutputStream()
            .println(objectMapper.writeValueAsString(data));
}

class org.springframework.security.authentication.BadCredentialsException

我应该重写什么才能看到 UserNotFoundException 错误消息?

【问题讨论】:

    标签: spring-boot spring-mvc spring-security


    【解决方案1】:

    您可以将AuthenticationProvider 配置为在找不到用户名时抛出UsernameNotFoundException 而不是BadCredentialsException

    请注意,这被认为不太安全

    来自setHideUserNotFoundExceptionsJavadoc:

    默认情况下,如果未找到用户名或密码不正确,AbstractUserDetailsAuthenticationProvider 会抛出 BadCredentialsException。将此属性设置为false 将导致UsernameNotFoundExceptions 被抛出而不是前者。请注意,这被认为不如针对两种异常抛出 BadCredentialsException 安全。

    如果您选择这样做,下面是一个如何使用setHideUserNotFoundExceptions的示例

    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
        provider.setUserDetailsService(customUserDetailsService);
        provider.setPasswordEncoder(customPasswordEncoder);
        provider.setHideUserNotFoundExceptions(false) ;
        return provider;
    }
    

    【讨论】:

      【解决方案2】:

      制作自定义身份验证提供程序

          public class CustomAuthenticationProvider implements AuthenticationProvider {
      
          @Autowired
          private Repository repository;
      
          @Override
          public Authentication authenticate(Authentication authentication) throws AuthenticationException {
              String name = authentication.getName();
              String password = authentication.getCredentials().toString();
      
              User user = repository.findByUserName(name);
      
              if(!encoder().matches(password, user.getPassword())){
                  throw new BadCredentialsException("Bad credentials");
              }
      
              return new UsernamePasswordAuthenticationToken(user, password,
                              Arrays.asList(new SimpleGrantedAuthority("USER_ROLE")));
              
          }
      
          @Override
          public boolean supports(Class<?> authentication) {
              return authentication.equals(UsernamePasswordAuthenticationToken.class);
          }
      
          @Bean
          public PasswordEncoder encoder() {
              return new BCryptPasswordEncoder();
          }
      }
      

      就像那里解释的https://www.baeldung.com/spring-security-authentication-provider

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 2016-02-02
        • 1970-01-01
        • 2019-04-30
        • 2015-07-10
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        相关资源
        最近更新 更多