Shulou(Shulou.com)05/31 Report--

This article will explain in detail what to do about the custom exception of the Oauth2 authentication server in SpringCloud Alibaba. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Preface

Problem: how to customize the authentication server to return an exception when using Spring Security OAuth3.

So first of all, let's take the Password mode as an example to see what exceptions will occur during authentication.

Authorization mode error

Here we deliberately change the authorization mode password to password1, and the authentication server returns the exception shown below

{"error": "unsupported_grant_type", "error_description": "Unsupported grant type: password1"}

Wrong password

The following exception error occurs when deliberately typing wrong username or password during authentication:

{"error": "invalid_grant", "error_description": "Bad credentials"}

Client error

Intentionally mistype client_id or client during authentication

{"error": "invalid_client", "error_description": "Bad client credentials"} above the return knot

The above return result is very unfriendly, and it is difficult for the front-end code to determine what the error is, so we need uniform exception handling for the returned error to return a uniform exception format.

Problem analysis

If you only focus on the solution, you can jump directly to the solution module!

OAuth3Exception exception handling

In the Oauth3 authentication server, the authentication logic finally calls the TokenEndpoint#postAccessToken () method, and once an OAuth3Exception exception occurs in the authentication, it will be caught by handleException (). As shown in the following figure, the debug screenshot is taken when an abnormal user password occurs:

After capturing the OAuth3Exception, the authentication server calls the WebResponseExceptionTranslator#translate () method to translate the exception.

The default translation processing implementation class is DefaultWebResponseExceptionTranslator. After the processing is completed, the handleOAuth3Exception () method is called to return the handled exception to the front end. This is the exception effect we saw earlier.

Students who are familiar with Oauth3 routines should know how to handle such exceptions, that is, "customize an exception translation class to return the custom format we need, and then inject it into the authentication server." "

However, this processing logic can only solve the OAuth3Exception exception, that is, "authorization mode exception" and "account password exception" in the preface, not our client exception.

Client exception handling

The exception of client authentication occurs on the filter ClientCredentialsTokenEndpointFilter, in which a post-added failure handling method is added, and finally the exception is handed over to OAuth3AuthenticationEntryPoint, the so-called authentication entry. The order of execution is as follows:

Then jump to the AbstractOAuth3SecurityExceptionHandler#doHandle () of the parent class for processing:

Finally, the DefaultOAuth3ExceptionRenderer#handleHttpEntityResponse () method outputs the exception to the client.

Treatment method

Through the above analysis, we know that the authentication failure exception of the client is transferred by the filter ClientCredentialsTokenEndpointFilter to OAuth3AuthenticationEntryPoint to get the response result. In this case, we can rewrite the ClientCredentialsTokenEndpointFilter and replace the native OAuth3AuthenticationEntryPoint with the custom AuthenticationEntryPoint, and get the exception data we want in the custom AuthenticationEntryPoint.

Solution

To resolve the above exceptions, we first need to write error codes for different exceptions: ReturnCode.java

CLIENT_AUTHENTICATION_FAILED (1001, "client authentication failed"), USERNAME_OR_PASSWORD_ERROR (1002, "wrong username or password"), UNSUPPORTED_GRANT_TYPE (1003, "unsupported authentication mode")

OAuth3Exception exception

@ Slf4j public class CustomWebResponseExceptionTranslator implements WebResponseExceptionTranslator {@ Override public ResponseEntity translate (Exception e) throws Exception {log.error ("Authentication Server exception", e); ResultData response = resolveException (e); return new ResponseEntity (response, HttpStatus.valueOf (response.getHttpStatus () } / * build returned exception * @ param e exception * @ return * / private ResultData resolveException (Exception e) {/ / initial value 500ReturnCode returnCode = ReturnCode.RC500; int httpStatus = HttpStatus.UNAUTHORIZED.value () / / unsupported authentication method if (e instanceof UnsupportedGrantTypeException) {returnCode = ReturnCode.UNSUPPORTED_GRANT_TYPE; / / username or password exception} else if (e instanceof InvalidGrantException) {returnCode = ReturnCode.USERNAME_OR_PASSWORD_ERROR;} ResultData failResponse = ResultData.fail (returnCode.getCode (), returnCode.getMessage ()); failResponse.setHttpStatus (httpStatus) Return failResponse;}}

Then inject a custom exception translation class into the authentication server configuration class

@ Override public void configure (AuthorizationServerEndpointsConfigurer endpoints) throws Exception {/ / if you need to use refresh_token mode, you need to inject userDetailService endpoints .authenticationManager (this.authenticationManager) .userDetailsService (userDetailService) / / inject tokenGranter .tokenGranter (tokenGranter) / / inject custom tokenservice. If you don't use custom tokenService, you need to move the configuration in tokenServce here / / .tokenServices (tokenServices ()); / / Custom exception conversion class endpoints.exceptionTranslator (new CustomWebResponseExceptionTranslator ());}

Client exception

Override the client authentication filter without using the default OAuth3AuthenticationEntryPoint handling exception

Public class CustomClientCredentialsTokenEndpointFilter extends ClientCredentialsTokenEndpointFilter {private final AuthorizationServerSecurityConfigurer configurer; private AuthenticationEntryPoint authenticationEntryPoint; public CustomClientCredentialsTokenEndpointFilter (AuthorizationServerSecurityConfigurer configurer) {this.configurer = configurer;} @ Override public void setAuthenticationEntryPoint (AuthenticationEntryPoint authenticationEntryPoint) {super.setAuthenticationEntryPoint (null); this.authenticationEntryPoint = authenticationEntryPoint;} @ Override protected AuthenticationManager getAuthenticationManager () {return configurer.and () .getSharedObject (AuthenticationManager.class) @ Override public void afterPropertiesSet () {setAuthenticationFailureHandler ((request, response, e)-> authenticationEntryPoint.commence (request, response, e)); setAuthenticationSuccessHandler ((request, response, authentication)-> {});}}

The exception handling logic is injected into the authentication server, and the custom exception returns the result. (the code is located at AuthorizationServerConfig)

@ Bean public AuthenticationEntryPoint authenticationEntryPoint () {return (request, response, e)-> {response.setStatus (HttpStatus.UNAUTHORIZED.value ()); ResultData resultData = ResultData.fail (ReturnCode.CLIENT_AUTHENTICATION_FAILED.getCode (), ReturnCode.CLIENT_AUTHENTICATION_FAILED.getMessage ()); WebUtils.writeJson (response,resultData);};}

Modify authentication server configuration and inject custom filter

@ Override public void configure (AuthorizationServerSecurityConfigurer security) throws Exception {CustomClientCredentialsTokenEndpointFilter endpointFilter = new CustomClientCredentialsTokenEndpointFilter (security); endpointFilter.afterPropertiesSet (); endpointFilter.setAuthenticationEntryPoint (authenticationEntryPoint ()); security.addTokenEndpointAuthenticationFilter (endpointFilter); security .authenticationEntryPoint (authenticationEntryPoint ()) / * allowFormAuthentication ForClients () * / / .tokenKeyAccess ("permitAll ()") .checkTokenAccess ("isAuthenticated ()") is required if form authentication is used.

At this point, you need to delete the allowFormAuthenticationForClients () configuration, otherwise the custom filter will not take effect, as to why it does not work, just take a look at the source code.

test

Authorization mode error

Wrong account password

Client error

On the "SpringCloud Alibaba Oauth2 authentication server custom exception how to do" this article to share here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, please share it out for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.