我有一组自定义的身份验证调用和提供程序。当他们失败时,我只想寄回401。在Spring 4/Springboot 1.5中,我提供了一个定制的SimpleUrlAuthenticationFailureHandler,它将401写回响应。
我正在迁移到Spring/SpringSecurity5,我遇到了一个问题,我似乎无法禁用默认的安全机制,特别是ExceptionTranslationFilter,它坚持接受AccessDeniedException并在我之前提交响应时抛出ServletException,如果不提交,则用403覆盖它。
以下是我的安全配置的相关部分:
@Override
protected void configure(HttpSecurity httpSec) throws Exception {
final HttpSecurity.RequestMatcherConfigurer requestMatcherConfigurer = httpSec.requestMatchers();
final ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry expressionInterceptUrlRegistry =
requestMatcherConfigurer.and().authorizeRequests();
expressionInterceptUrlRegistry
.antMatchers("/health").permitAll()
.antMatchers("/v*/**").authenticated()
.antMatchers("/trace").permitAll();
// disable sessions
httpSec.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
httpSec.formLogin().disable(); //added this when moving from Sp4 to 5, trying to disable.
httpSec.httpBasic().disable(); //added this when moving from Sp4 to 5, trying to disable.
httpSec.csrf().disable();
httpSec.headers()
.frameOptions().sameOrigin(); // TODO: revisit this
AbstractPreAuthenticatedProcessingFilter authFilter = authFilter();
authFilter.setAuthenticationFailureHandler(new MyAuthHandler());
httpSec.addFilterBefore(
authFilter,
UsernamePasswordAuthenticationFilter.class);
}
