java - spring security - 拒绝访问处理程序

Question

我在使用 Spring Security 和让访问拒绝处理程序工作时遇到了一些问题。

Spring Security 正在工作，但是当我在没有所需权限 (ROLE_ADMIN) 的情况下访问 /admin 时，Spring Security 只是重定向到我的登录表单页面的根页面。

我希望能够将用户重定向到 /accessdenied 或 /?accessdenied=true 这应该加载登录页面并显示以下消息：“权限被拒绝 - 请登录”

弹簧安全.xml：

<beans:beans 
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
                    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security 
                    http://www.springframework.org/schema/security/spring-security-3.1.xsd">


    <security:http>
        <security:intercept-url pattern='/home' access='ROLE_USER,ROLE_ADMIN' />
        <security:intercept-url pattern='/admin*' access='ROLE_ADMIN' />
        <security:form-login login-page='/' default-target-url='/home' authentication-failure-url='/?error=true' />
        <security:logout logout-success-url='/' />
        <security:access-denied-handler error-page="/accessdenied"/>
    </security:http>
    <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name='a' password='a' authorities='ROLE_ADMIN,ROLE_USER' />
                <security:user name='u' password='u' authorities='ROLE_USER' />
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans:beans>

网页.xml：

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        /WEB-INF/spring/root-context.xml 
        /WEB-INF/spring/spring-security.xml
        </param-value>
    </context-param>

    <!-- Creates the Spring Container shared by all Servlets and Filters -->
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Processes application requests -->
    <servlet>
        <servlet-name>appServlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>appServlet</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

  <!-- Spring Security -->  
  <filter>  
    <filter-name>springSecurityFilterChain</filter-name>  
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>  
  </filter>  
  <filter-mapping>  
    <filter-name>springSecurityFilterChain</filter-name>  
    <url-pattern>/*</url-pattern>  
  </filter-mapping>  
  <welcome-file-list>  
    <welcome-file>login.jsp</welcome-file>  
  </welcome-file-list>  

</web-app>

LoginController.java 导入 java.util.Locale；

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class LoginController {

    private static final Logger logger = LoggerFactory.getLogger(LoginController.class);

    /**
     * Simply selects the home view to render by returning its name.
     */
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String home(Locale locale, Model model) 
    {
        logger.info("Welcome home! The client locale is {}.", locale);

        return "login";
    }

    @RequestMapping(value = "/accessdenied", method = RequestMethod.GET)
    public String accessDenied(Locale locale, Model model) 
    {
        logger.info("Welcome home! The client locale is {}.", locale);

        model.addAttribute("message", "Permission denied - please login");

        return "login";
    }
}

我已经尝试了几个指南，包括以下内容，但都没有奏效：

http://www.mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/ 使用spring security的访问被拒绝页面不起作用 如何重定向到access-denied-page春季安全

任何帮助将不胜感激。

Answer 1

您能否检查日志并在您访问 /admin 页面时确认是否抛出了 AuthenticationException 或 AccessDeniedException。

您还访问了没有管理员权限的正确登录名的管理页面，或者您根本没有登录访问它？

编辑：

1. 您可以通过添加一些日志语句或调试来检查当您使用正确的登录名（没有管理员权限）访问 /admin 时，方法 accessDenied() 是否被调用？
2. 你也可以分享你的登录 jsp，你可能没有正确显示消息参数
3. 当用户没有必需的 priv 但是有效用户时，将调用 accessDeniedHandler，您可以在调试日志中看到类似的内容

访问被拒绝（用户不是匿名的）；委托给 AccessDeniedHandler

AccessDeniedHndler 会将请求转发到 errorPage（它不是重定向）

Answer 2

使用 Spring ExceptionTranslationFilter 将帮助您获得所需的输出。你可以试一试

添加与您的所有请求匹配的过滤器

然后注入 ExceptionTranslationFilter 如下

<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler">
        <bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            <property name="errorPage" value="/login/denied.action"/>
        </bean>
    </property>
</bean>

Answer 3

这是简单的方法

三个步骤 1-

.exceptionHandling().accessDeniedPage("/access-denied")

2-

    @RequestMapping("/access-denied")
public void access(HttpServletResponse response  ,  HttpServletRequest request) throws IOException {
    response.sendRedirect(request.getContextPath() +"?accessDenied");
}

3-

<c:if test="${param.accessDenied != null }">
<i class="failed">access denied  .</i>                                  
</c:if>