自从Spring引导发布以来,我遇到以下问题1.4 我有一个自定义身份验证提供程序,它管理Spring Security的JWT令牌解析。基本上,当令牌无效或过期时,我会抛出一个BadCredentialsException。我也有一个与JSONSpring Boot 1.4:Principal必须为空例外
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException
{
httpServletResponse.setContentType("application/json");
httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
httpServletResponse.getOutputStream().println("{ \"error\": \"" + e.getMessage() + "\" }");
}
这里一个未经授权的HttpServlet响应重新格式化消息AutenticationEntryPoint是管理身份验证提供
@Override
protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException
{
String authToken = httpServletRequest.getHeader("Authorization");
JwtToken token = new JwtToken(authToken);
try
{
Authentication auth = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
filterChain.doFilter(httpServletRequest, httpServletResponse);
}
catch(AuthenticationException ae)
{
SecurityContextHolder.clearContext();
unauthorizedHandler.commence(httpServletRequest, httpServletResponse, ae);
}
这是在春季启动1.3做工精细的异常过滤器0.6 现在我收到以下错误
java.lang.IllegalArgumentException异常:主要经营不能为空 堆栈跟踪:
java.lang.IllegalArgumentException: Principal must not be null
at org.springframework.util.Assert.notNull(Assert.java:115) ~[spring-core-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.boot.actuate.audit.AuditEvent.<init>(AuditEvent.java:83) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.audit.AuditEvent.<init>(AuditEvent.java:59) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onAuthenticationFailureEvent(AuthenticationAuditListener.java:67) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onApplicationEvent(AuthenticationAuditListener.java:50) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.boot.actuate.security.AuthenticationAuditListener.onApplicationEvent(AuthenticationAuditListener.java:34) ~[spring-boot-actuator-1.4.0.RELEASE.jar:1.4.0.RELEASE]
at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:382) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:336) ~[spring-context-4.3.2.RELEASE.jar:4.3.2.RELEASE]
at org.springframework.security.authentication.DefaultAuthenticationEventPublisher.publishAuthenticationFailure(DefaultAuthenticationEventPublisher.java:124) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.prepareException(ProviderManager.java:240) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:233) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:454) ~[spring-security-config-4.1.1.RELEASE.jar:4.1.1.RELEASE]
at com.icentia.tracking.security.JwtFilter.doFilterInternal(JwtFilter.java:49) ~[classes/:na]
这是来自Spring Boot Actuator。如果我删除它,它就像以前一样工作?!?
似乎有在这里列出的错误,但不一样的: https://github.com/spring-projects/spring-boot/issues/6447
我想有致动器的生产,任何解决办法,我可以用这个?
谢谢
嗨 - 你已经发布了一段时间,你解决了这个问题吗? –
问题在于,Acutator一旦添加到Spring Boot中就会跟踪不成功的登录(审计)。我改变了JWT检查把一个BadCredential异常抛出到一个Nonce异常,这可能是因为它没有在这种情况下检查getName形式的Principal(但我没有验证这一点) –
很高兴知道,谢谢!埃斯特班也发布了类似的答案。 –