spring security - 拒绝访问处理程序
Posted
技术标签:
【中文标题】spring security - 拒绝访问处理程序【英文标题】:spring security - access-denied-handler 【发布时间】:2013-10-31 07:19:44 【问题描述】:我在使用 Spring Security 和获取拒绝访问处理程序时遇到了一些问题。
Spring Security 正在工作,但是当我在没有所需权限 (ROLE_ADMIN) 的情况下访问 /admin 时,Spring Security 只是重定向到我的登录表单页面的根页面。
我希望能够将用户重定向到 /accessdenied 或 /?accessdenied=true 这应该加载登录页面并显示以下消息:“权限被拒绝 - 请登录”
spring-security.xml:
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http>
<security:intercept-url pattern='/home' access='ROLE_USER,ROLE_ADMIN' />
<security:intercept-url pattern='/admin*' access='ROLE_ADMIN' />
<security:form-login login-page='/' default-target-url='/home' authentication-failure-url='/?error=true' />
<security:logout logout-success-url='/' />
<security:access-denied-handler error-page="/accessdenied"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name='a' password='a' authorities='ROLE_ADMIN,ROLE_USER' />
<security:user name='u' password='u' authorities='ROLE_USER' />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
</web-app>
登录控制器.java 导入 java.util.Locale;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class LoginController
private static final Logger logger = LoggerFactory.getLogger(LoginController.class);
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping(value = "/", method = RequestMethod.GET)
public String home(Locale locale, Model model)
logger.info("Welcome home! The client locale is .", locale);
return "login";
@RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
public String accessDenied(Locale locale, Model model)
logger.info("Welcome home! The client locale is .", locale);
model.addAttribute("message", "Permission denied - please login");
return "login";
我已经尝试了几个指南,包括以下内容,但都没有奏效:
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/ access denied page using spring security not working How to redirect to access-denied-page with spring security
任何帮助将不胜感激。
【问题讨论】:
【参考方案1】:使用 Spring ExceptionTranslationFilter 将帮助您获得所需的输出。你可以试试看
为您的所有请求添加匹配的过滤器
然后注入ExceptionTranslationFilter如下
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/login/denied.action"/>
</bean>
</property>
</bean>
【讨论】:
我之前尝试过这样做,这里的答案是:***.com/questions/9244238/… 但它对我不起作用。【参考方案2】:您能否检查日志并确认在您访问 /admin 页面时是否抛出了 AuthenticationException 或 AccessDeniedException。
您还以正确的登录名访问管理页面,但没有管理员权限,或者您根本没有登录访问它?
已编辑:
-
您能否通过添加一些日志语句或调试来检查当您使用正确的登录名(没有管理员权限)访问 /admin 时,是否调用了 accessDenied() 方法?
您也可以分享您的登录 jsp,您可能没有正确显示消息参数
当用户没有所需的 priv 但是有效用户时,调用 accessDeniedHandler,您可以在调试日志中看到类似的内容
访问被拒绝(用户不是匿名的);委派给 AccessDeniedHandler
AccessDeniedHndler 会将请求转发到 errorPage(它不是重定向)
【讨论】:
没有抛出异常。我现在尝试使用没有管理员权限的正确登录名和根本没有登录名来访问管理页面。我仍然被重定向到登录页面。 谢谢,它现在可以工作了。你是绝对正确的,问题出在 login.jsp 页面上。如果用户尝试访问 /home 或 /admin 而不以有效用户/admin 身份登录,是否可以向用户显示消息?【参考方案3】:这个方法很简单
三个步骤 1-
.exceptionHandling().accessDeniedPage("/access-denied")
2-
@RequestMapping("/access-denied")
public void access(HttpServletResponse response , HttpServletRequest request) throws IOException
response.sendRedirect(request.getContextPath() +"?accessDenied");
3-
<c:if test="$param.accessDenied != null ">
<i class="failed">access denied .</i>
</c:if>
【讨论】:
以上是关于spring security - 拒绝访问处理程序的主要内容,如果未能解决你的问题,请参考以下文章
即使授予正确的权限,Spring Security @Secured 也会拒绝访问
在 Spring Security 中启用 CSRF 时,访问被拒绝 403