Java spring安全-拒绝访问处理程序
我对Spring安全性和访问被拒绝处理程序的工作有一些问题 Spring security正在工作,但当我在没有所需权限(角色\管理员)的情况下访问/admin时,Spring security只是重定向到根页面,这是我的登录表单页面 我希望能够将用户重定向到/accessdenied或/?accessdenied=true,这将加载登录页面并显示以下消息:“权限被拒绝-请登录” spring-security.xml:Java spring安全-拒绝访问处理程序,java,spring,spring-mvc,spring-security,Java,Spring,Spring Mvc,Spring Security,我对Spring安全性和访问被拒绝处理程序的工作有一些问题 Spring security正在工作,但当我在没有所需权限(角色\管理员)的情况下访问/admin时,Spring security只是重定向到根页面,这是我的登录表单页面 我希望能够将用户重定向到/accessdenied或/?accessdenied=true,这将加载登录页面并显示以下消息:“权限被拒绝-请登录” spring-security.xml: <beans:beans xmlns:security="
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http>
<security:intercept-url pattern='/home' access='ROLE_USER,ROLE_ADMIN' />
<security:intercept-url pattern='/admin*' access='ROLE_ADMIN' />
<security:form-login login-page='/' default-target-url='/home' authentication-failure-url='/?error=true' />
<security:logout logout-success-url='/' />
<security:access-denied-handler error-page="/accessdenied"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name='a' password='a' authorities='ROLE_ADMIN,ROLE_USER' />
<security:user name='u' password='u' authorities='ROLE_USER' />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
非常感谢您的帮助。使用Spring Exception TranslationFilter将帮助您获得所需的输出。你可以试一试 添加与所有请求匹配的筛选器 然后注入ExceptionTranslationFilter,如下所示
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/login/denied.action"/>
</bean>
</property>
</bean>
请检查日志并确认在您访问/admin页面时引发了AuthenticationException或AccessDeniedException 另外,您访问管理员页面时使用了正确的登录名,但没有管理员权限,或者您访问该页面时根本没有登录名 编辑:
访问被拒绝。
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class LoginController {
private static final Logger logger = LoggerFactory.getLogger(LoginController.class);
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping(value = "/", method = RequestMethod.GET)
public String home(Locale locale, Model model)
{
logger.info("Welcome home! The client locale is {}.", locale);
return "login";
}
@RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
public String accessDenied(Locale locale, Model model)
{
logger.info("Welcome home! The client locale is {}.", locale);
model.addAttribute("message", "Permission denied - please login");
return "login";
}
}
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/login/denied.action"/>
</bean>
</property>
</bean>
@RequestMapping("/access-denied")
public void access(HttpServletResponse response , HttpServletRequest request) throws IOException {
response.sendRedirect(request.getContextPath() +"?accessDenied");
}
<c:if test="${param.accessDenied != null }">
<i class="failed">access denied .</i>
</c:if>