spring security custom AuthenticationFailureHandler

This commit is contained in:
db 2018-07-13 22:16:18 +01:00
parent 429bbbbaf1
commit 69bb8daf0c
5 changed files with 187 additions and 3 deletions

View File

@ -10,9 +10,10 @@
<description>Spring Boot Security Auto-Configuration</description> <description>Spring Boot Security Auto-Configuration</description>
<parent> <parent>
<groupId>com.baeldung</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>parent-modules</artifactId> <artifactId>spring-boot-starter-parent</artifactId>
<version>1.0.0-SNAPSHOT</version> <version>1.5.9.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent> </parent>
<dependencyManagement> <dependencyManagement>
@ -55,6 +56,11 @@
<artifactId>spring-security-test</artifactId> <artifactId>spring-security-test</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies> </dependencies>
<build> <build>
@ -62,6 +68,16 @@
<plugin> <plugin>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId> <artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
<configuration> <!-- multiple main classes present, choose one -->
<mainClass>com.baeldung.springbootsecurity.basic_auth.SpringBootSecurityApplication</mainClass>
</configuration>
</execution>
</executions>
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
@ -69,6 +85,7 @@
<properties> <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
</properties> </properties>
</project> </project>

View File

@ -0,0 +1,12 @@
package com.baeldung.springbootsecurity.form_login;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication(scanBasePackages = "com.baeldung.springbootsecurity.form_login")
public class SpringBootSecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SpringBootSecurityApplication.class, args);
}
}

View File

@ -0,0 +1,40 @@
package com.baeldung.springbootsecurity.form_login.configuration;
import com.baeldung.springbootsecurity.form_login.security.CustomAuthenticationFailureHandler;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("baeldung")
.password("baeldung")
.roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.failureHandler(customAuthenticationFailureHandler());
}
@Bean
public AuthenticationFailureHandler customAuthenticationFailureHandler() {
return new CustomAuthenticationFailureHandler();
}
}

View File

@ -0,0 +1,28 @@
package com.baeldung.springbootsecurity.form_login.security;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Calendar;
import java.util.HashMap;
import java.util.Map;
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
private final ObjectMapper objectMapper = new ObjectMapper();
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
Map<String, Object> data = new HashMap<>();
data.put("timestamp", Calendar.getInstance().getTime());
data.put("exception", exception.getMessage());
response.getOutputStream().println(objectMapper.writeValueAsString(data));
}
}

View File

@ -0,0 +1,87 @@
package com.baeldung.springbootsecurity.form_login;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import org.springframework.web.context.WebApplicationContext;
import javax.servlet.Filter;
import static org.junit.Assert.assertTrue;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.authenticated;
import static org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers.unauthenticated;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@RunWith(SpringRunner.class)
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = com.baeldung.springbootsecurity.form_login.SpringBootSecurityApplication.class)
public class FormLoginIntegrationTest {
@Autowired
private WebApplicationContext context;
@Autowired
private Filter springSecurityFilterChain;
private MockMvc mvc;
@Before
public void setup() {
mvc = MockMvcBuilders
.webAppContextSetup(context)
.addFilters(springSecurityFilterChain)
.build();
}
@Test
public void givenRequestWithoutSessionOrCsrfToken_shouldFailWith403() throws Exception {
mvc
.perform(post("/"))
.andExpect(status().isForbidden());
}
@Test
public void givenRequestWithInvalidCsrfToken_shouldFailWith403() throws Exception {
mvc
.perform(post("/").with(csrf().useInvalidToken()))
.andExpect(status().isForbidden());
}
@Test
public void givenRequestWithValidCsrfTokenAndWithoutSessionToken_shouldReceive302WithLocationHeaderToLoginPage() throws Exception {
MvcResult mvcResult = mvc.perform(post("/").with(csrf())).andReturn();
assertTrue(mvcResult.getResponse().getStatus() == 302);
assertTrue(mvcResult.getResponse().getHeader("Location").contains("login"));
}
@Test
public void givenValidRequestWithValidCredentials_shouldLoginSuccessfully() throws Exception {
mvc
.perform(formLogin().user("baeldung").password("baeldung"))
.andExpect(status().isFound())
.andExpect(redirectedUrl("/"))
.andExpect(authenticated().withUsername("baeldung"));
}
@Test
public void givenValidRequestWithInvalidCredentials_shouldFailWith401() throws Exception {
MvcResult result = mvc
.perform(formLogin().user("random").password("random"))
.andExpect(status().isUnauthorized())
.andDo(print())
.andExpect(unauthenticated())
.andReturn();
assertTrue(result.getResponse().getContentAsString().contains("Bad credentials"));
}
}