Java spring security - 拒绝访问处理程序
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19517564/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
spring security - access-denied-handler
提问by Emil C
I have some problems with Spring Security and getting an access-denied-handler to work.
我在 Spring Security 和获取拒绝访问处理程序方面遇到了一些问题。
Spring security is working but when I visit /admin without the required privileges (ROLE_ADMIN), Spring Security is just redirecting to the root page which is my login form page.
Spring Security 正在工作,但是当我在没有所需权限 (ROLE_ADMIN) 的情况下访问 /admin 时,Spring Security 只是重定向到我的登录表单页面的根页面。
I want to be able to redirect the user to /accessdenied or /?accessdenied=true which should load the login page and display the following message: "Permission denied - please login"
我希望能够将用户重定向到 /accessdenied 或 /?accessdenied=true 这应该加载登录页面并显示以下消息:“权限被拒绝 - 请登录”
spring-security.xml:
弹簧security.xml:
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http>
<security:intercept-url pattern='/home' access='ROLE_USER,ROLE_ADMIN' />
<security:intercept-url pattern='/admin*' access='ROLE_ADMIN' />
<security:form-login login-page='/' default-target-url='/home' authentication-failure-url='/?error=true' />
<security:logout logout-success-url='/' />
<security:access-denied-handler error-page="/accessdenied"/>
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name='a' password='a' authorities='ROLE_ADMIN,ROLE_USER' />
<security:user name='u' password='u' authorities='ROLE_USER' />
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans:beans>
web.xml:
网页.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/spring-security.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Processes application requests -->
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
</web-app>
LoginController.java import java.util.Locale;
LoginController.java 导入 java.util.Locale;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class LoginController {
private static final Logger logger = LoggerFactory.getLogger(LoginController.class);
/**
* Simply selects the home view to render by returning its name.
*/
@RequestMapping(value = "/", method = RequestMethod.GET)
public String home(Locale locale, Model model)
{
logger.info("Welcome home! The client locale is {}.", locale);
return "login";
}
@RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
public String accessDenied(Locale locale, Model model)
{
logger.info("Welcome home! The client locale is {}.", locale);
model.addAttribute("message", "Permission denied - please login");
return "login";
}
}
I have tried several guides including the following, and none of it worked:
我尝试了几个指南,包括以下内容,但都没有奏效:
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/access denied page using spring security not workingHow to redirect to access-denied-page with spring security
http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/使用 spring security 访问被拒绝页面不起作用如何重定向到访问拒绝页面弹簧安全
Any help would be greatly appreciated.
任何帮助将不胜感激。
采纳答案by coder
Can you please check the logs and confirm in your case AuthenticationException is getting thrown or AccessDeniedException when you visit /admin page.
您能否检查日志并确认在您访问 /admin 页面时是否抛出了 AuthenticationException 或 AccessDeniedException。
Also you visit admin page with a correct login not having admin privileges or you visit it without login at all ?
此外,您使用正确的登录名访问管理页面而没有管理员权限,或者您根本没有登录就访问它?
Editted:
编辑:
- Can you check by adding some log statement or debug that when you access /admin with a correct login (not having admin priv), is the method accessDenied() getting called ?
- Also can you share your login jsp, you might not have displayed message param correctly
- When user doesn't have required priv but is a valid user then accessDeniedHandler is called, you can see something like this in debug logs
- 您能否通过添加一些日志语句或调试来检查当您使用正确的登录名(没有管理员权限)访问 /admin 时,是否调用了 accessDenied() 方法?
- 您也可以分享您的登录jsp,您可能没有正确显示消息参数
- 当用户没有必需的 priv 但是有效用户时,调用 accessDeniedHandler,您可以在调试日志中看到类似的内容
access is denied (user is not anonymous); delegating to AccessDeniedHandler
访问被拒绝(用户不是匿名的);委托给 AccessDeniedHandler
AccessDeniedHndler will forward the request to errorPage (Its not a redirect)
AccessDeniedHndler 将请求转发到 errorPage(它不是重定向)
回答by Pratik Shelar
Using the Spring ExceptionTranslationFilter will help you get the desired output. You could give it a try
使用 Spring ExceptionTranslationFilter 将帮助您获得所需的输出。你可以试试
Add a filter matching to all your requests
添加与您的所有请求匹配的过滤器
Then inject the ExceptionTranslationFilter as follows
然后注入ExceptionTranslationFilter如下
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<property name="errorPage" value="/login/denied.action"/>
</bean>
</property>
</bean>
