Spring Security CookieTheftException
作者:互联网
我在Spring Boot应用程序中使用PersistentTokenBasedRememberMeServices(Spring Security 4.0.3).以下是令牌配置的片段:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.failureHandler(myAuthenticationFailureHandler).loginProcessingUrl("/login").usernameParameter("username").passwordParameter("password")
.and().exceptionHandling()
.and().authorizeRequests()
.antMatchers(this.getOpenURLS()).permitAll().anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class).csrf().csrfTokenRepository(csrfTokenRepository())
.and().rememberMe().rememberMeServices(rememberMeServices()).key(C_REMEMBER_ME_APP_KEY).and().logout();
}
@Bean
public AbstractRememberMeServices rememberMeServices() {
PersistentTokenBasedRememberMeServices rememberMeServices = null;
try {
rememberMeServices = new PersistentTokenBasedRememberMeServices(C_REMEMBER_ME_APP_KEY, userDetailsService, persistentTokenRepository());
rememberMeServices.setTokenValiditySeconds((int) TimeUnit.SECONDS.convert(2, TimeUnit.DAYS));
rememberMeServices.setParameter(C_REMEMBER_ME_PARAMETER);
} catch (SQLException e) {
e.printStackTrace();
}
return rememberMeServices;
}
配置按预期工作,我遇到的问题是,无论何时引发,我都无法处理/捕获org.springframework.security.web.authentication.rememberme.CookieTheftException.例如,因为我想确保能够捕获此异常,所以我开始与用户进行会话,进入数据库并更改令牌(存储在浏览器中的其他值)并重新启动tomcat服务器.当我尝试访问应用程序时,会立即抛出CookieTheftException.
我的配置中有一个SimpleMappingExceptionResolver Bean,如下所示:
@Bean(name = "simpleMappingExceptionResolver")
public SimpleMappingExceptionResolver createSimpleMappingExceptionResolver() {
SimpleMappingExceptionResolver r = new SimpleMappingExceptionResolver();
Properties mappings = new Properties();
mappings.setProperty("CookieTheftException", "cookieException");
mappings.setProperty(".CookieTheftException", "cookieException");
mappings.setProperty("org.springframework.security.web.authentication.rememberme.CookieTheftException", "cookieException");
r.setOrder(Integer.MIN_VALUE);
r.setExceptionMappings(mappings);
r.setDefaultErrorView("error");
r.setExceptionAttribute("ex");
r.setWarnLogCategory("example.MvcLogger");
return r;
}
另外,我添加了一个像这样的@ControllerAdvice:
@ControllerAdvice
public class GlobalDefaultExceptionHandler {
public static final String DEFAULT_ERROR_VIEW = "errorCookie";
@ExceptionHandler(value = Exception.class)
public ModelAndView defaultErrorHandler(HttpServletRequest req, Exception e) throws Exception {
ModelAndView mav = new ModelAndView();
mav.addObject("exception", e);
mav.addObject("url", req.getRequestURL());
mav.setViewName(DEFAULT_ERROR_VIEW);
return mav;
}
}
不幸的是,这些都没有能够捕获异常.奇怪的是,如果我在任何控制器中手动引发异常,则当前配置会成功处理异常.
看起来因为DispatcherServlet抛出异常,@ ControllerAdvice和SimpleMappingExceptionResolver都能捕获异常?我错过了什么吗?任何帮助将不胜感激.谢谢.
解决方法:
我很长时间都在努力,找不到任何有意义的东西.当我查看你使用ErrorController作为解决方法的建议时,我注意到BasicErrorController说:
* {@code @ExceptionHandler})或添加servlet
* {@link AbstractEmbeddedServletContainerFactory#setErrorPages容器错误页面}.
既然你说你的工作有效,我认为可以通过addErrorPages将它们添加到servlet容器中来捕获相同的错误.请看我的@Configuration类:
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {
return container -> {
container.addErrorPages(new ErrorPage(CookieTheftException.class, "/login"));
};
}
我只是希望用户在此异常后再次登录,因此您可以看到我只是将它们发送到登录页面.
标签:spring-mvc,spring,spring-security,spring-boot-2,remember-me 来源: https://codeday.me/bug/20190711/1432876.html