Spring Security需要在BadCredentialsException上重定向到登录页面

debugcn 发表于 Dev

杰耶什

我是Spring Security的新手。我遇到一个问题，由于特定原因身份验证失败时，我需要获取错误才能在“登录”页面上显示。

另外，我正在基于对URL的Web服务调用对用户进行身份验证。以下是我的配置，我也已配置authentication-failure-handler-ref

<security:http auto-config="true" use-expressions="true" access-denied-page="/accessDenied.jsp">
    <security:form-login  login-page="/login.jsp" authentication-failure-handler-ref="authenticationFailureHandler"
        default-target-url="/jsp/home"   />

    <security:intercept-url pattern="/login.jsp"
        access="permitAll" />

    <security:intercept-url pattern="/jsp/home"
        access="permitAll" />

    <security:intercept-url pattern="/jsp/*"
        access="isAuthenticated()" />


    <security:logout logout-url="/j_spring_security_logout" logout-success-url="/login.jsp?logout=success" 
        invalidate-session="true"  />

</security:http> 

    <bean id="ldapAuthenticationProvider" class="com.on.transport.authentication.MyAuthenticationProvider">
    </bean>

    <security:authentication-manager alias="authenticationManager">
         <security:authentication-provider ref='ldapAuthenticationProvider'/>   
    </security:authentication-manager>

    <bean id="customUserDetailsService" class="com.service.CustomUserDetailsService">
    </bean>     

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <property name="exceptionMappings">
        <props>
            <prop key="org.springframework.security.authentication.BadCredentialsException">/errorPage.jsp?login_error=1</prop>
            <prop key="org.springframework.security.authentication.CredentialsExpiredException">/login.jsp?status=2</prop>
            <prop key="org.springframework.security.authentication.LockedException">/login.jsp?status=3</prop>
            <prop key="org.springframework.security.authentication.DisabledException">/login.jsp?status=4</prop>     
        </props>
    </property>
</bean>

当我像下面这样写“ authentication-failure-url”时，一切工作正常，

<security:http  ......>
        <security:form-login  login-page="/login.jsp"
            default-target-url="/jsp/home"  authentication-failure-url="/login.jsp?status=1" />
                  ............
</security:http>

但是我需要以一种可以检查不同类型的异常的方式进行配置。

身份验证提供者

   public class MyAuthenticationProvider implements AuthenticationProvider {

    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {

        UsernamePasswordAuthenticationToken auth = (UsernamePasswordAuthenticationToken) authentication;

        String username = auth.getName();
        String password = (String)auth.getCredentials();

        UserUpdated user = null;
        int status=0;
        try{
            status = webservice.authenticate(username, password); 
               //webservice is object one is used to authenticate

            if(status==1){
                List<GrantedAuthority> grantedAuthoritiesList = new ArrayList<GrantedAuthority>();

                if(username!=null && (username.equals("test") || username.equals("[email protected]"))){
                    grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_ADMIN")); 
                }else{
                    grantedAuthoritiesList.add(new GrantedAuthorityImpl("ROLE_USER"));
                }

                return new UsernamePasswordAuthenticationToken(username, null, grantedAuthoritiesList);

            }else if(status==2){
                throw new BadCredentialsException("Incorrect Email Id or Password.");
            }
        }catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

    @Override
    public boolean supports(Class<? extends Object> authentication) {
        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }
}

我收到以下错误消息：

HTTP Status 401 - Authentication Failed: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

相反，我需要重定向到带有错误消息的“登录”页面。

我可以看到日志为

org.springframework.security.authentication.BadCredentialsException: Incorrect Email Id or Password
    at com.on.transport.authentication.MyAuthenticationProvider.authenticate(MyAuthenticationProvider.java:98)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)

[AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication] - Authentication request failed: org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken
2013-09-07 13:05:42,685 DEBUG http-8080-2 [AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication] - Updated SecurityContextHolder to contain null Authentication
2013-09-07 13:05:42,686 DEBUG http-8080-2 [AbstractAuthenticationProcessingFilter.unsuccessfulAuthentication] - Delegating to authentication failure handler org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler@3aabc1
2013-09-07 13:05:42,686 DEBUG http-8080-2 [SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure] - No failure URL set, sending 401 Unauthorized error
2013-09-07 13:05:42,686 DEBUG http-8080-2 [HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper.saveContext] - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2013-09-07 13:05:42,687 DEBUG http-8080-2 [SecurityContextPersistenceFilter.doFilter] - SecurityContextHolder now cleared, as request processing completed