2

我正在使用 Spring Security 并使用 Pre-Authentication 模块,因为我的应用程序使用 Siteminder 进行了身份验证。

以下是spring config XML

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <!-- http403EntryPoint -->

<security:http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
    <!-- Additional http configuration omitted -->
    <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>

<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="customUserDetailsService"/>
        </bean>
    </property>
</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>   

<bean id="customUserDetailsService" class="com.vzw.iaas.security.service.CustomUserDetailsService"></bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean>

<bean id="exceptionTranslationFilter"
 class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
    <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</bean>

<bean id="authenticationEntryPoint"
 class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/NotAuthorized.html"/>
</bean>

<bean id="accessDeniedHandler"
 class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/accessDenied.html"/>
</bean>

现在,当出现异常时,即当我向应用程序发送请求而不发送 SM_USER 应用程序而不是显示错误页面时,即在这种情况下 NotAuthorized.html 抛出和内部服务器 500 错误。

我想在以下场景中显示我的自定义错误页面。1. 发生AuthenticationException 2. 用户无权访问时。

Spring Security 大师可以告诉我我在这里缺少什么。

4

1 回答 1

1

将 exceptionIfHeaderMissing 标志设为 false。请求将使用 http403EntryPoint 处理,而不是抛出错误。

<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="exceptionIfHeaderMissing" value="false" />
</bean>
于 2013-11-11T07:08:03.283 回答