自定义身份验证过滤器的 Spring Security 401 错误
我们正在使用 Java 和 Spring 开发一个网站。作为服务器,我们使用基于 Tomcat 6.0.29 的自定义服务器。 在 web.xml 文件中声明了此自定义身份验证过滤器:
<security:custom-filter ref="extraFieldAuthenticationProvider"
before="FORM_LOGIN_FILTER"/>
以及以下内容:
<security:form-login login-page="/view/page/login"
default-target-url="/view/page/display"
authentication-failure-handler-ref="CustomAuthenticationFailureHandler"
authentication-success-handler-ref="CustomAuthenticationSuccessHandler"/>
以下是 extraFieldAuthenticationProvider 类:
public class ExtraFieldAuthenticationFilter
extends UsernamePasswordAuthenticationFilter {
private final static Logger LOG =
Logger.getLogger(ExtraFieldAuthenticationFilter.class.getName());
@Override
protected String obtainUsername(HttpServletRequest request) {
String userName = super.obtainUsername(request);
String type = request.getParameter(WebConstants.PARAM_J__TYPE);
return StringUtils.join(new String[]{type, userName});
}
}
问题是登录不成功时,我收到 Tomcat 401 错误。控制权未交给 CustomAuthenticationFailureHandler。
有什么想法吗? (顺便说一句...我对 Spring Security 比较陌生,我正在调试另一个人的代码)
非常感谢!
Krt_马耳他
We're developing a website using Java and Spring. As a server, we're using a custom server based on Tomcat 6.0.29.
In the web.xml file there is this custom authentication filter declared:
<security:custom-filter ref="extraFieldAuthenticationProvider"
before="FORM_LOGIN_FILTER"/>
along with the following:
<security:form-login login-page="/view/page/login"
default-target-url="/view/page/display"
authentication-failure-handler-ref="CustomAuthenticationFailureHandler"
authentication-success-handler-ref="CustomAuthenticationSuccessHandler"/>
The following is the extraFieldAuthenticationProvider class:
public class ExtraFieldAuthenticationFilter
extends UsernamePasswordAuthenticationFilter {
private final static Logger LOG =
Logger.getLogger(ExtraFieldAuthenticationFilter.class.getName());
@Override
protected String obtainUsername(HttpServletRequest request) {
String userName = super.obtainUsername(request);
String type = request.getParameter(WebConstants.PARAM_J__TYPE);
return StringUtils.join(new String[]{type, userName});
}
}
The problem is that on an unsuccessful login, I'm getting a Tomcat 401 error. Control is not being given to CustomAuthenticationFailureHandler.
Any ideas plz? (Bdw...I'm relatively new to Spring Security, I'm debugging another person's code)
Thanks a lot!
Krt_Malta
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您首先需要验证问题是否出在 Tomcat 服务器的配置上(例如,Tomcat 身份验证是否已设置,它是否期望您在您的 Tomcat 中提供客户端证书(
clientAuth="true") Tomcat 服务器配置)等。如果您可以验证该控件是否通过了 Spring Security 的初始 Tomcat 身份验证,那么可能有不同的解决方案,但您没有向我们提供所有相关代码。看起来代码正在检查与身份验证请求一起传递的附加表单参数,这将在
WebConstants.PARAM_J__TYPE常量中定义。You first need to verify if the problem is with the configuration of your Tomcat server (for example, is Tomcat authentication set up, is it expecting you to present a client certificate (
clientAuth="true"in your Tomcat server configuration), etc.If you can verify that the control is or isn't getting past initial Tomcat authentication to Spring Security, then there may be a different solution. You haven't provided us with all the relevant code, but it looks like the code is checking for an additional form parameter to be passed along with the authentication request. This would be defined in the
WebConstants.PARAM_J__TYPEconstant.