在SpringSecurity中,如果我们在认证或者授权的过程中出现了异常会被ExceptionTranslationFilter捕 获到。在ExceptionTranslationFilter中会去判断是认证失败还是授权失败出现的异常。
一、自定义验证异常类
创建exception包,在exception包下创建自定义CustomerAuthenticationException类,继承 AuthenticationException类
/*** 自定义 认证 验证异常类*/
public class CustomerAuthenticationException extends AuthenticationException {public CustomerAuthenticationException(String message){super(message);}
}二、登录用户访问无权限资源处理器
创建CustomerAccessDeniedHandler认证用户访问无权限资源时处理器类。
抓捕到AccessDeniedException异常后,进入此处理器
/*** 认证用户 访问无权限资源时处理器*/
@Component
public class CustomerAccessDeniedHandler implements AccessDeniedHandler {@Overridepublic void handle(HttpServletRequest request,HttpServletResponse response,AccessDeniedException accessDeniedException) throws IOException {//设置客户端的响应的内容类型response.setContentType("application/json;charset=UTF-8");//获取输出流ServletOutputStream outputStream = response.getOutputStream();//消除循环引用String result = JSON.toJSONString(R.error().code(700).message("无权限访问, 请联系管理员!"),SerializerFeature.DisableCircularReferenceDetect);outputStream.write(result.getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}三、匿名用户访问资源处理器
/*** 匿名用户 访问无权限资源的处理类*/
@Component
public class AnonymousAuthenticationHandler implements AuthenticationEntryPoint {@Overridepublic void commence(HttpServletRequest request,HttpServletResponse response,AuthenticationException authException) throws IOException {//设置客户端的响应的内容类型response.setContentType("application/json;charset=UTF-8");String result = null;//获取输出流ServletOutputStream outputStream = response.getOutputStream();// System.out.println("异常消息:"+authException.getMessage()+",对象:"+authException);if (authException instanceof BadCredentialsException) {// 用户名未找到,可以在这里添加自定义处理逻辑result = JSON.toJSONString(R.error().code(HttpServletResponse.SC_UNAUTHORIZED).message(authException.getMessage()),SerializerFeature.DisableCircularReferenceDetect);} else if (authException instanceof InternalAuthenticationServiceException) {result = JSON.toJSONString(R.error().code(HttpServletResponse.SC_UNAUTHORIZED).message("用户名为空!"),SerializerFeature.DisableCircularReferenceDetect);} else {// 其他身份验证异常处理result = JSON.toJSONString(R.error().code(600).message("匿名用户无权限访问!"),SerializerFeature.DisableCircularReferenceDetect); //消除循环引用}outputStream.write(result.getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}四、改造认证校验过滤器 && 认证失败处理器
/*** 认证校验失败处理类*/
@Component
public class LoginFailureHandler implements AuthenticationFailureHandler {@Overridepublic void onAuthenticationFailure(HttpServletRequest request,HttpServletResponse response,AuthenticationException exception) throws IOException, ServletException {//设置客户端响应编码格式response.setContentType("application/json;charset=UTF-8");//获取输出流ServletOutputStream outputStream= response.getOutputStream();String message = null;//提示信息int code = 500;//错误编码//判断异常类型if(exception instanceof AccountExpiredException){message = "账户过期,登录失败!";}else if(exception instanceof BadCredentialsException){message = "用户名或密码错误,登录失败!";}else if(exception instanceof CredentialsExpiredException){message = "密码过期,登录失败!";}else if(exception instanceof DisabledException){message = "账户被禁用,登录失败!";}else if(exception instanceof LockedException){message = "账户被锁,登录失败!";}else if(exception instanceof InternalAuthenticationServiceException){message = "账户不存在,登录失败!";}else if(exception instanceof CustomerAuthenticationException){message = exception.getMessage();code = 600;}else{message = "登录失败!";}//将错误信息转换成JSONString result = JSON.toJSONString(R.error().code(code).message(message));outputStream.write(result.getBytes(StandardCharsets.UTF_8));outputStream.flush();outputStream.close();}
}五、配置自定义处理器
