默认情况下, Spring Boot 2将
401在
spring-boot-starter-security添加为依赖项并执行未授权的请求时返回。
如果你放置一些自定义配置来修改安全机制行为,则可能会更改。如果是这种情况,并且你确实需要强制执行该
401状态,请阅读以下原始帖子。
Original Post
The class
org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint被取消了
org.springframework.security.web.authentication.HttpStatusEntryPoint。
就我而言,代码如下所示:
public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { //... http.exceptionHandling() .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)); //... }}Bonus
如果你需要在响应正文中返回一些信息或以某种方式自定义响应,则可以执行以下操作:
1-扩展
AuthenticationEntryPoint
public class MyEntryPoint implements AuthenticationEntryPoint { private final HttpStatus httpStatus; private final Object responseBody; public MyEntryPoint(HttpStatus httpStatus, Object responseBody) { Assert.notNull(httpStatus, "httpStatus cannot be null"); Assert.notNull(responseBody, "responseBody cannot be null"); this.httpStatus = httpStatus; this.responseBody = responseBody; } @Override public final void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { response.setStatus(httpStatus.value()); try (PrintWriter writer = response.getWriter()) { writer.print(new ObjectMapper().writevalueAsString(responseBody)); } }}2-提供
MyEntryPoint安全配置的实例
public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // customize your response body as needed Map<String, String> responseBody = new HashMap<>(); responseBody.put("error", "unauthorized"); //... http.exceptionHandling() .authenticationEntryPoint(new MyEntryPoint(HttpStatus.UNAUTHORIZED, responseBody)); //... }}
