Shulou(Shulou.com)06/03 Report--

This article is to share with you what to do if authentication fails in a custom SpringSecurity. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

1. Overview

In this quick tutorial, we will demonstrate how to customize Spring Security authentication failure handling in a Spring Boot application. The goal is to authenticate the user using the form login method.

two。 Authentication and Authorization (Authentication and Authorization)

Authentication and authorization are often used together because they play an important and equally important role in granting system access.

However, they have different meanings and apply different constraints when validating requests:

Authentication-before authorization; it is about verifying the credentials received; we verify that the user name and password match the user name and password recognized by our application. Authorization-used to verify that the successfully authenticated user has access to a feature of the application.

We can customize authentication and authorization failure handling, but in this application, we will focus on authentication failures.

3. AuthenticationFailureHandler of Spring Security

Spring Security provides a component that handles authentication failures by default.

However, we find that it is common that the default behavior is not sufficient to meet the actual requirements.

If this is the case, we can create our own components and provide the custom behavior we want by implementing the AuthenticationFailureHandler interface:

Public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {private ObjectMapper objectMapper = new ObjectMapper (); @ Override public void onAuthenticationFailure (HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {response.setStatus (HttpStatus.UNAUTHORIZED.value ()); Map data = new HashMap (); data.put ("timestamp", Calendar.getInstance (). GetTime ()); data.put ("exception", exception.getMessage ()); response.getOutputStream () .println (objectMapper.writeValueAsString (data);}}

By default, Spring redirects the user back to the login page using request parameters that contain error messages.

In this application, we will return a 401 response that contains information about the error and the timestamp when the error occurred.

DelegatingAuthenticationFailureHandler delegates the AuthenticationException subclass to different AuthenticationFailureHandler, which means that we can create different behaviors for different instances of AuthenticationException. ExceptionMappingAuthenticationFailureHandler redirects the user to a specific URL based on the full class name of the AuthenticationException, regardless of the type of AuthenticationException, ForwardAuthenticationFailureHandler will forward the user to the specified URL SimpleUrlAuthenticationFailureHandler is the default component, and if specified, it will redirect the user to failureUrl;. Otherwise, it will only return a 401response.

Now that we have created a custom AuthenticationFailureHandler, let's configure our application and override the default handler for Spring:

@ Configuration@EnableWebSecuritypublic class SecurityConfiguration extends WebSecurityConfigurerAdapter {@ Override protected void configure (AuthenticationManagerBuilder auth) throws Exception {auth .inMemoryAuthentication () withUser ("baeldung") .password ("baeldung") .password ("USER");} @ Override protected void configure (HttpSecurity http) throws Exception {http .authorizeRequests () .anyRequests () .authenticated () and () .formLogin () .failureHandler (customAuthenticationFailureHandler ());} @ Bean public AuthenticationFailureHandler customAuthenticationFailureHandler () {return new CustomAuthenticationFailureHandler ();}

Notice the failureHandler () call, and we can tell Spring to use our custom component instead of the default component.

Thank you for reading! This is the end of this article on "what to do with the failure of user-defined SpringSecurity authentication". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.