Spring Security —— 异常处理

Posted 2022-08-04 _瞳孔

一：异常体系

Spring Security中异常主要分为两大类：

• AuthenticationException：认证异常
• AccessDeniedException：授权异常

其中认证所涉及的异常类型比较多，默认有18种，如下：

相比于认证异常，权限异常类就要少了很多，默认提供的权限异常如下：

二：自定义异常配置

在实际开发中，默认异常是无法满足需求的，需要大量的自定义异常类，Spring Security提供了两个方法来配置：

• authenticationEntryPoint()：认证自定义异常
• accessDeniedHandler()：授权自定义异常

至于这两个方法怎么使用，我们可以进入源码看看

首先是authenticationEntryPoint()，可以看到，该方法要求我们传入AuthenticationEntryPoint的对象

	public ExceptionHandlingConfigurer<H> authenticationEntryPoint(
			AuthenticationEntryPoint authenticationEntryPoint) 
		this.authenticationEntryPoint = authenticationEntryPoint;
		return this;
	

进入AuthenticationEntryPoint接口，可以看到只有一个方法，因此在authenticationEntryPoint方法中可以直接传入Lambda表达式，但那样写不美观，配置与实现应该分离，因此我们可以新建一个类去实现这个接口

public interface AuthenticationEntryPoint 
	/**
	 * 处理认证访问相关异常
	 * @param request 导致AuthenticationException的请求
	 * @param response 响应
	 * @param authException 异常信息
	 */
	void commence(HttpServletRequest request, HttpServletResponse response,
			AuthenticationException authException) throws IOException, ServletException;

public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint 
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException 
        Map<String, Object> result = new HashMap<>();
        result.put("code", 400);
        result.put("msg", authException.getMessage());
        response.setContentType("application/json;charset=UTF-8");
        String s = new ObjectMapper().writeValueAsString(result);
        response.getWriter().println(s);
    

accessDeniedHandler()方法同理，其源码如下：

	public ExceptionHandlingConfigurer<H> accessDeniedHandler(
			AccessDeniedHandler accessDeniedHandler) 
		this.accessDeniedHandler = accessDeniedHandler;
		return this;
	

进入AccessDeniedHandler接口：

public interface AccessDeniedHandler 
	/**
	 * 处理权限访问相关异常
	 * @param request 导致AccessDeniedException的请求
	 * @param response 响应
	 * @param accessDeniedException 异常信息
	 */
	void handle(HttpServletRequest request, HttpServletResponse response,
			AccessDeniedException accessDeniedException) throws IOException,
			ServletException;

因此我们可以这样实现：

public class CustomAccessDeniedHandler implements AccessDeniedHandler 
    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException 
        Map<String, Object> result = new HashMap<>();
        result.put("code", 400);
        result.put("msg", accessDeniedException.getMessage());
        response.setContentType("application/json;charset=UTF-8");
        String s = new ObjectMapper().writeValueAsString(result);
        response.getWriter().println(s);
    

最后再在configure中将自定义处理配置进去：

    @Override
    protected void configure(HttpSecurity http) throws Exception 
        http.authorizeRequests()
                .mvcMatchers("/hello1").permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin()
                .successHandler(new CustomAuthenticationSuccessHandler())
                .failureHandler(new CustomAuthenticationFailureHandler())
                .and()
                .logout()
                .logoutSuccessHandler(new CustomLogoutSuccessHandler())
                // 异常处理
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(new CustomAuthenticationEntryPoint())  // 认证异常
                .accessDeniedHandler(new CustomAccessDeniedHandler())  // 授权异常;
    

如果有兴趣了解更多相关内容，欢迎来我的个人网站看看：瞳孔的个人网站