Spring Security忽略方法级别安全性的访问拒绝处理程序

我正在使用Spring 3.2.4,并且access-denied-handler在使用基于注释的方法级别安全性时,无法使Spring

Security重定向到我。我发现了一些与此相关的不同文章,但是到目前为止,似乎还没有找到任何解决方案。

我的security.xml文件:

<!-- need this here to be able to secure methods in components other than controllers (as scanned in applicationContext.xml) -->

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled" ></global-method-security>

<!-- Annotation/JavaConfig examples http://stackoverflow.com/questions/7361513/spring-security-login-page -->

<http use-expressions="true" entry-point-ref="authenticationEntryPoint">

<access-denied-handler ref="accessDeniedHandler"/>

<intercept-url pattern="/secure/login" access="permitAll" />

<intercept-url pattern="/secure/logout" access="permitAll" />

<intercept-url pattern="/secure/denied" access="permitAll" />

<session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true">

<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>

</session-management>

<intercept-url pattern="/**" access="isAuthenticated()" />

<form-login default-target-url="/" authentication-failure-url="/secure/denied" />

<logout logout-url="/secure/logout" logout-success-url="/" />

<expression-handler ref="defaultWebSecurityExpressionHandler" />

</http>

<beans:bean id="authenticationEntryPoint" class="com.ia.security.LoginUrlAuthenticationEntryPoint">

<beans:constructor-arg name="loginFormUrl" value="/secure/login"/>

</beans:bean>

<beans:bean id="accessDeniedHandler" class="com.ia.security.AccessDeniedHandlerImpl">

<beans:property name="errorPage" value="/secure/denied"/>

</beans:bean>

我的AccessDeniedHandlerImpl.java:

public class AccessDeniedHandlerImpl extends org.springframework.security.web.access.AccessDeniedHandlerImpl {

// SLF4J logger

private static final Logger logger = LoggerFactory.getLogger(AccessDeniedHandlerImpl.class);

@Override

public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {

logger.log("AccessDeniedException triggered!");

super.handle(request, response, accessDeniedException);

}

}

我的注释方法:

@PreAuthorize("hasAuthority('ROLE_ZZZZ')")

public ModelAndView getUserInfo( @PathVariable long userId ){

ModelAndView mv = new ModelAndView();

User u = userService.findUser( userId );

mv.addObject("user", u);

return mv;

}

我需要做些什么特别的事情来调用我的访问拒绝处理程序吗?

回答:

经过数小时的搜索和跟踪Spring代码,我终于发现了正在发生的事情。我将其列出在这里,以防对他人有价值。

access-denied-

handler使用通过ExceptionTranslationFilter在的情况下AccessDeniedException。但是,org.springframework.web.servlet.DispatcherServlet首先尝试处理异常。具体来说,我使用org.springframework.web.servlet.handler.SimpleMappingExceptionResolver定义了一个defaultErrorView。因此,会SimpleMappingExceptionResolver通过重定向到适当的视图来消耗异常,因此,没有剩余的异常会冒泡到ExceptionTranslationFilter

解决方法非常简单。配置SimpleMappingExceptionResolver忽略所有AccessDeniedException

<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">

<property name="defaultErrorView" value="uncaughtException" />

<property name="excludedExceptions" value="org.springframework.security.access.AccessDeniedException" />

<property name="exceptionMappings">

<props>

<prop key=".DataAccessException">dataAccessFailure</prop>

<prop key=".NoSuchRequestHandlingMethodException">resourceNotFound</prop>

<prop key=".TypeMismatchException">resourceNotFound</prop>

<prop key=".MissingServletRequestParameterException">resourceNotFound</prop>

</props>

</property>

</bean>

现在,无论何时AccessDeniedException抛出an

,解析器都会忽略它,并允许其将堆栈冒泡到ExceptionTranslationFilter,然后调用access-denied-

handler来处理异常。

以上是 Spring Security忽略方法级别安全性的访问拒绝处理程序 的全部内容, 来源链接: utcz.com/qa/399176.html

回到顶部