Spring Security使用方法级安全性忽略访问被拒绝处理程序

Question

Spring Security使用方法级安全性忽略访问被拒绝处理程序

我正在使用Spring 3.2.4,并且access-denied-handler在使用基于Annotation的方法级安全性时无法让Spring Security重定向到我.我发现了几个不同的帖子,但到目前为止,我找不到任何解决方案.

我的security.xml文件:

<!-- need this here to be able to secure methods in components other than controllers (as scanned in applicationContext.xml) -->
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled" ></global-method-security>

<!-- Annotation/JavaConfig examples http://stackoverflow.com/questions/7361513/spring-security-login-page -->
<http use-expressions="true" entry-point-ref="authenticationEntryPoint">
    <access-denied-handler ref="accessDeniedHandler"/>

    <intercept-url pattern="/secure/login" access="permitAll" />
    <intercept-url pattern="/secure/logout" access="permitAll" />
    <intercept-url pattern="/secure/denied" access="permitAll" />
    <session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true"> 
        <concurrency-control max-sessions="10" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>
    </session-management>

    <intercept-url pattern="/**" access="isAuthenticated()" />
    <form-login  default-target-url="/" authentication-failure-url="/secure/denied" />
    <logout logout-url="/secure/logout" logout-success-url="/" />
    <expression-handler ref="defaultWebSecurityExpressionHandler" />
</http>

<beans:bean id="authenticationEntryPoint" class="com.ia.security.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg name="loginFormUrl" value="/secure/login"/>
</beans:bean>

<beans:bean id="accessDeniedHandler" class="com.ia.security.AccessDeniedHandlerImpl">
    <beans:property name="errorPage" value="/secure/denied"/>
</beans:bean>

Run Code Online (Sandbox Code Playgroud)

我的AccessDeniedHandlerImpl.java:

public class AccessDeniedHandlerImpl extends org.springframework.security.web.access.AccessDeniedHandlerImpl {
    // SLF4J logger
    private static final Logger logger = LoggerFactory.getLogger(AccessDeniedHandlerImpl.class);

    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        logger.log("AccessDeniedException triggered!");
        super.handle(request, response, accessDeniedException);

    }
}

Run Code Online (Sandbox Code Playgroud)

我的注释方法:

@PreAuthorize("hasAuthority('ROLE_ZZZZ')")
public ModelAndView getUserInfo( @PathVariable long userId ){
    ModelAndView mv = new ModelAndView();
    User u = userService.findUser( userId );
    mv.addObject("user", u);
    return mv;
}

Run Code Online (Sandbox Code Playgroud)

我需要做什么特别的事情来调用我的访问被拒绝处理程序吗？

Answer 1

Eri*_* B. 19

经过几个小时的搜索和追踪Spring代码后,我终于发现了正在发生的事情.我在这里列出这个,以防它对别人有价值.

在access-denied-handler由所使用ExceptionTranslationFilter的的情况下AccessDeniedException.但是,org.springframework.web.servlet.DispatcherServlet首先尝试处理异常.具体来说,我有一个org.springframework.web.servlet.handler.SimpleMappingExceptionResolver定义了defaultErrorView.因此,SimpleMappingExceptionResolver通过重定向到适当的视图来消耗异常,因此,没有任何例外可以冒泡到ExceptionTranslationFilter.

修复很简单.配置SimpleMappingExceptionResolver忽略全部AccessDeniedException.

<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
    <property name="defaultErrorView" value="uncaughtException" />
    <property name="excludedExceptions" value="org.springframework.security.access.AccessDeniedException" />

    <property name="exceptionMappings">
        <props>
            <prop key=".DataAccessException">dataAccessFailure</prop>
            <prop key=".NoSuchRequestHandlingMethodException">resourceNotFound</prop>
            <prop key=".TypeMismatchException">resourceNotFound</prop>
            <prop key=".MissingServletRequestParameterException">resourceNotFound</prop>
        </props>
    </property>
</bean>

Run Code Online (Sandbox Code Playgroud)

现在,无论何时AccessDeniedException抛出,解析器都会忽略它,并允许它将堆栈冒泡到堆栈ExceptionTranslationFilter,然后调用它access-denied-handler来处理异常.

这个配置的javaconfig？ (4认同)

Answer 2

小智 6

我遇到了同样的问题.在我的情况下已经确定了@ControllerAdvise应该处理异常 - 所以我直接添加了AccessDeniedException:

@Component
@ControllerAdvice
public class ControllerBase {

...

  @ExceptionHandler(value = AccessDeniedException.class)
    public ModelAndView accessDenied() {
        return new ModelAndView("redirect:login.html");
    }
}

Run Code Online (Sandbox Code Playgroud)

祝你好运!

归档时间：	12 年前
查看次数：	16019 次
最近记录：	8 年，1 月前