gpt4 book ai didi

spring-mvc - Spring Security 忽略具有方法级安全性的访问拒绝处理程序

转载 作者:行者123 更新时间:2023-12-03 14:13:54 27 4
gpt4 key购买 nike

我正在使用 Spring 3.2.4 并且无法让 Spring Security 重定向到我的 access-denied-handler使用基于注解的方法级别安全性时。我找到了几篇关于此的不同帖子,但到目前为止,我似乎没有找到任何解决方案。

我的 security.xml 文件:

<!-- need this here to be able to secure methods in components other than controllers (as scanned in applicationContext.xml) -->
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled" ></global-method-security>

<!-- Annotation/JavaConfig examples http://stackoverflow.com/questions/7361513/spring-security-login-page -->
<http use-expressions="true" entry-point-ref="authenticationEntryPoint">
<access-denied-handler ref="accessDeniedHandler"/>

<intercept-url pattern="/secure/login" access="permitAll" />
<intercept-url pattern="/secure/logout" access="permitAll" />
<intercept-url pattern="/secure/denied" access="permitAll" />
<session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>
</session-management>

<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login default-target-url="/" authentication-failure-url="/secure/denied" />
<logout logout-url="/secure/logout" logout-success-url="/" />
<expression-handler ref="defaultWebSecurityExpressionHandler" />
</http>

<beans:bean id="authenticationEntryPoint" class="com.ia.security.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg name="loginFormUrl" value="/secure/login"/>
</beans:bean>

<beans:bean id="accessDeniedHandler" class="com.ia.security.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/secure/denied"/>
</beans:bean>

我的 AccessDeniedHandlerImpl.java :
public class AccessDeniedHandlerImpl extends org.springframework.security.web.access.AccessDeniedHandlerImpl {
// SLF4J logger
private static final Logger logger = LoggerFactory.getLogger(AccessDeniedHandlerImpl.class);

@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
logger.log("AccessDeniedException triggered!");
super.handle(request, response, accessDeniedException);

}
}

我的注释方法:
@PreAuthorize("hasAuthority('ROLE_ZZZZ')")
public ModelAndView getUserInfo( @PathVariable long userId ){
ModelAndView mv = new ModelAndView();
User u = userService.findUser( userId );
mv.addObject("user", u);
return mv;
}

我需要做什么特别的事情来调用我的拒绝访问处理程序吗?

最佳答案

经过几个小时的搜索和跟踪 Spring 代码,我终于发现了发生了什么。我在这里列出它,以防它对其他人有值(value)。
access-denied-handlerExceptionTranslationFilter 使用如果是 AccessDeniedException .然而,org.springframework.web.servlet.DispatcherServlet首先尝试处理异常。具体来说,我有一个 org.springframework.web.servlet.handler.SimpleMappingExceptionResolverdefaultErrorView 定义.因此,SimpleMappingExceptionResolver通过重定向到适当的 View 来消耗异常,因此,没有异常可以冒泡到 ExceptionTranslationFilter .

修复相当简单。配置 SimpleMappingExceptionResolver忽略所有 AccessDeniedException .

<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
<property name="defaultErrorView" value="uncaughtException" />
<property name="excludedExceptions" value="org.springframework.security.access.AccessDeniedException" />

<property name="exceptionMappings">
<props>
<prop key=".DataAccessException">dataAccessFailure</prop>
<prop key=".NoSuchRequestHandlingMethodException">resourceNotFound</prop>
<prop key=".TypeMismatchException">resourceNotFound</prop>
<prop key=".MissingServletRequestParameterException">resourceNotFound</prop>
</props>
</property>
</bean>

现在,每当 AccessDeniedException被抛出,解析器忽略它并允许它向上冒泡堆栈到 ExceptionTranslationFilter然后调用 access-denied-handler来处理异常。

关于spring-mvc - Spring Security 忽略具有方法级安全性的访问拒绝处理程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/21171882/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com