我有一个春季启动项目.使用不正确的用户凭据发出请求时:
catch (RuntimeException ex) {
log.error("Error occurred while fetching user {}: {}", securityPrincipal, ex);
throw new UsernameNotFoundException("Could not find user: " + securityPrincipal);
}
但是最后抛出的异常是500.
通过一些链接后,我发现:
protected AbstractPreAuthenticatedProcessingFilter multiPreAuthenticatedProcessingFilter() throws Exception {
MultiPreAuthenticatedProcessingFilter filter = new MultiPreAuthenticatedProcessingFilter();
filter.setAuthenticationManager(authenticationManager());
filter.setPreAuthenticatedPrincipalProviders(preAuthenticatedPrincipalProviders);
filter.setCheckForPrincipalChanges(true);
filter.setInvalidateSessionOnPrincipalChange(true);
filter.setContinueFilterChainOnUnsuccessfulAuthentication(**true**);
return filter;
}
将continueFilterChainOnUnsuccesfulAuthentication更改为true将有助于按原样抛出Authentication异常.但是在将其更改为true之后,将UsernameNotFoundException抛出为403而不是401.
是否缺少一些基本的安全配置?