UsernamePasswordAuthenticationFilter 跳过成功处理程序

Question

我很难配置我的 spring 安全性。问题是，每当我通过自定义UsernamePasswordAuthenticationFilter 进行身份验证时，我的身份验证过滤器总是会跳过我的成功和失败处理程序。我似乎不知道为什么会这样。

首先，我将身份验证参数作为 JSON 传递，并过滤掉用户名和密码，然后将这两个参数传递给新的 UsernamePasswordAuthenticationToken(username, password)，然后我获取身份验证管理器并验证返回的令牌。在成功完成完整身份验证时，我希望成功处理程序应该接管，但不，它根本不会被调用。

这是我的安全配置。

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf()
            .disable()
            .authorizeRequests()
            .and()
            .exceptionHandling()
            .authenticationEntryPoint(restAuthenticationEntryPoint)
            .and()
            .authorizeRequests()
            .antMatchers("/signup")
            .permitAll()
            .antMatchers("/", "/security/login", "/request", "/request.html")
            .authenticated()
            .and()
            .formLogin()
            .loginProcessingUrl("/security/login")
            .successHandler(authenticationSuccessHandler())
            .failureHandler(authenticationFailureHandler())
            .and()
            .logout()
            .logoutUrl("/logout")
            .permitAll()
            .and()
            .addFilterAfter
                    (authenticationFilter(), UsernamePasswordAuthenticationFilter.class)
            //.and()
            .userDetailsService(userDetailsServiceBean());
}

相关的bean是

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    auth.userDetailsService(userDetailsServiceBean());
}

@Bean
@Override
public UserDetailsService userDetailsServiceBean() throws Exception {

    return new JdbcUserDetails();
}

@Bean
public RestAuthenticationSuccessHandler authenticationSuccessHandler(){
    return new RestAuthenticationSuccessHandler();
}

@Bean
public RestAuthenticationFailureHandler authenticationFailureHandler(){
    return new RestAuthenticationFailureHandler();
}

@Bean
JsonAuthenticationFilter authenticationFilter() throws Exception {
    logger.debug("Authenication filter processing loggin request    ");
    JsonAuthenticationFilter filter = new JsonAuthenticationFilter();
    filter.setAuthenticationManager(authenticationManagerBean());
    return filter;
}

过滤器是

public class JsonAuthenticationFilter extends UsernamePasswordAuthenticationFilter{

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

    UsernamePasswordAuthenticationToken authRequest = this.getUserNamePasswordAuthenticationToken(request);

    setDetails(request, authRequest);

    return this.getAuthenticationManager().authenticate(authRequest);
}

最后是我的成功处理程序

class RestAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
        Authentication authentication)
        throws ServletException, IOException {

    logger.debug("Successful login");
    System.out.println("\n\n\n\n\n\n\n\nresponse here\n\n\n\n\n\n\n");

    response.getWriter().write("{This is a login success response}");
    response.getWriter().flush();
    response.getWriter().close();

}

我已经战斗太久了

Answer 1

当您提供给定的 bean 配置时，Spring Security 将退出该配置。

因此，由于您提供了过滤器 (JsonAuthenticationFilter)，Spring Security 期望您最了解如何编写它。

那么，你应该这样做：

@Bean
JsonAuthenticationFilter authenticationFilter() {
    JsonAuthenticationFilter filter = new JsonAuthenticationFilter();
    // .. other configs
    filter.setAuthenticationSuccessHandler(new RestAuthenticationSuccessHandler());
    filter.setAuthenticationFailureHandler(new RestAuthenticationFailureHandler());
}

看起来有很多事情要做，所以如果这不能解决您的问题，请随时整理一个示例，例如在 GitHub 上说，我很乐意查看。