Shulou(Shulou.com)06/03 Report--

This article introduces the knowledge of "how to customize the authentication server to return exceptions when using Spring Security OAuth3". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

So first of all, let's take the Password mode as an example to see what exceptions will occur during authentication.

Authorization mode error

Here we deliberately change the authorization mode password to password1, and the authentication server returns the exception shown below

{

"error": "unsupported_grant_type"

"error_description": "Unsupported grant type: password1"

}

Wrong password

The following exception error occurs when deliberately typing wrong username or password during authentication:

{

"error": "invalid_grant"

"error_description": "Bad credentials"

}

Client error

Intentionally mistype client_id or client_secret during authentication

{

"error": "invalid_client"

"error_description": "Bad client credentials"

}

The above return result is very unfriendly, and it is difficult for the front-end code to determine what the error is, so we need uniform exception handling for the returned error to return a uniform exception format.

Problem analysis

If you only focus on the solution, you can jump directly to the solution module!

OAuth3Exception exception handling

In the Oauth3 authentication server, the authentication logic finally calls the TokenEndpoint#postAccessToken () method, and once an OAuth3Exception exception occurs in the authentication, it will be caught by handleException (). As shown in the following figure, the debug screenshot is taken when an abnormal user password occurs:

After capturing the OAuth3Exception, the authentication server calls the WebResponseExceptionTranslator#translate () method to translate the exception.

The default translation processing implementation class is DefaultWebResponseExceptionTranslator. After the processing is completed, the handleOAuth3Exception () method is called to return the handled exception to the front end. This is the exception effect we saw earlier.

Treatment method

Students who are familiar with Oauth3 routines should know how to handle such exceptions, that is, "customize an exception translation class to return the custom format we need, and then inject it into the authentication server." "

However, this processing logic can only solve the OAuth3Exception exception, that is, "authorization mode exception" and "account password exception" in the preface, not our client exception.

Client exception handling

The exception of client authentication occurs on the filter ClientCredentialsTokenEndpointFilter, in which a post-added failure handling method is added, and finally the exception is handed over to OAuth3AuthenticationEntryPoint, the so-called authentication entry. The order of execution is as follows:

Then jump to the AbstractOAuth3SecurityExceptionHandler#doHandle () of the parent class for processing:

Finally, the DefaultOAuth3ExceptionRenderer#handleHttpEntityResponse () method outputs the exception to the client.

Treatment method

Through the above analysis, we know that the authentication failure exception of the client is transferred by the filter ClientCredentialsTokenEndpointFilter to OAuth3AuthenticationEntryPoint to get the response result. In this case, we can rewrite the ClientCredentialsTokenEndpointFilter and replace the native OAuth3AuthenticationEntryPoint with the custom AuthenticationEntryPoint, and get the exception data we want in the custom AuthenticationEntryPoint.

Solution

To resolve the above exceptions, we first need to write error codes for different exceptions: ReturnCode.java

CLIENT_AUTHENTICATION_FAILED (1001, client authentication failed)

USERNAME_OR_PASSWORD_ERROR (1002, "wrong username or password")

UNSUPPORTED_GRANT_TYPE (1003, "unsupported authentication mode")

OAuth3Exception exception

As mentioned above, we write a custom exception translation class CustomWebResponseExceptionTranslator

@ Slf4j

Public class CustomWebResponseExceptionTranslator implements WebResponseExceptionTranslator {

@ Override

Public ResponseEntity translate (Exception e) throws Exception {

Log.error ("Authentication Server exception", e)

ResultData response = resolveException (e)

Return new ResponseEntity (response, HttpStatus.valueOf (response.getHttpStatus ()

}

/ * *

* build returned exception

* @ param e exception

* @ return

, /

Private ResultData resolveException (Exception e) {

/ / initial value 500

ReturnCode returnCode = ReturnCode.RC500

Int httpStatus = HttpStatus.UNAUTHORIZED.value ()

/ / unsupported authentication method

If (e instanceof UnsupportedGrantTypeException) {

ReturnCode = ReturnCode.UNSUPPORTED_GRANT_TYPE

/ / user name or password is abnormal

} else if (e instanceof InvalidGrantException) {

ReturnCode = ReturnCode.USERNAME_OR_PASSWORD_ERROR

}

ResultData failResponse = ResultData.fail (returnCode.getCode (), returnCode.getMessage ())

FailResponse.setHttpStatus (httpStatus)

Return failResponse

}

}

Then inject a custom exception translation class into the authentication server configuration class

@ Override

Public void configure (AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

/ / if you need to use refresh_token mode, you need to inject userDetailService

Endpoints

.authenticationManager (this.authenticationManager)

.userDetailsService (userDetailService)

/ / inject tokenGranter

.tokenGranter (tokenGranter)

/ / inject a custom tokenservice. If you don't use a custom tokenService, you need to move the configuration in the tokenServce here.

/ / .tokenServices (tokenServices ())

/ / Custom exception conversion class

Endpoints.exceptionTranslator (new CustomWebResponseExceptionTranslator ())

}

Client exception

Override the client authentication filter without using the default OAuth3AuthenticationEntryPoint handling exception

Public class CustomClientCredentialsTokenEndpointFilter extends ClientCredentialsTokenEndpointFilter {

Private final AuthorizationServerSecurityConfigurer configurer

Private AuthenticationEntryPoint authenticationEntryPoint

Public CustomClientCredentialsTokenEndpointFilter (AuthorizationServerSecurityConfigurer configurer) {

This.configurer = configurer

}

@ Override

Public void setAuthenticationEntryPoint (AuthenticationEntryPoint authenticationEntryPoint) {

Super.setAuthenticationEntryPoint (null)

This.authenticationEntryPoint = authenticationEntryPoint

}

@ Override

Protected AuthenticationManager getAuthenticationManager () {

Return configurer.and () getSharedObject (AuthenticationManager.class)

}

@ Override

Public void afterPropertiesSet () {

SetAuthenticationFailureHandler ((request, response, e)-> authenticationEntryPoint.commence (request, response, e))

SetAuthenticationSuccessHandler ((request, response, authentication)-> {

});

}

}

The exception handling logic is injected into the authentication server, and the custom exception returns the result. (the code is located at AuthorizationServerConfig)

@ Bean

Public AuthenticationEntryPoint authenticationEntryPoint () {

Return (request, response, e)-> {

Response.setStatus (HttpStatus.UNAUTHORIZED.value ())

ResultData resultData = ResultData.fail (ReturnCode.CLIENT_AUTHENTICATION_FAILED.getCode (), ReturnCode.CLIENT_AUTHENTICATION_FAILED.getMessage ())

WebUtils.writeJson (response,resultData)

}

}

Modify authentication server configuration and inject custom filter

@ Override

Public void configure (AuthorizationServerSecurityConfigurer security) throws Exception {

CustomClientCredentialsTokenEndpointFilter endpointFilter = new CustomClientCredentialsTokenEndpointFilter (security)

EndpointFilter.afterPropertiesSet ()

EndpointFilter.setAuthenticationEntryPoint (authenticationEntryPoint ())

Security.addTokenEndpointAuthenticationFilter (endpointFilter)

Security

.authenticationEntryPoint (authenticationEntryPoint ())

/ * .allowFormauthenticationForClients () * / / if you use form authentication, you need to add

.tokenKeyAccess ("permitAll ()")

.checkTokenAccess ("isAuthenticated ()")

}

At this point, you need to delete the allowFormAuthenticationForClients () configuration, otherwise the custom filter will not take effect, as to why it does not work, just take a look at the source code.

test

Authorization mode error

Wrong account password

Client error

This is the end of the content of "how to customize the authentication server to return exceptions when using Spring Security OAuth3". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.