我有一个弹簧安全保护方法如下:
@PreAuthorize("hasRole('add_user')")
public void addUser(User user) ;
如果没有enoguh权限的用户试图调用它
,抛出accessDenied异常:
org.springframework.security.access.AccessDeniedException: Access is denied
这是预期的,但问题是,为什么定义的访问被拒绝处理程序
在security.xml配置文件中不起作用:
我的意思是没有工作,当用户没有足够的权限尝试按下按钮addUser将调用服务addUser(只有用户可以访问具有此权限)时,抛出AccessDenied异常,这是所需的行为,但用户不是不会重定向到xml中配置的访问被拒绝异常.
当抛出此异常时,用户是否应该自动重定向到访问被拒绝的页面,或者我必须在代码中明确定义此类行为?
请指教.
我使用Spring Security 3.0.5与JSF 2.1和ICEFaces 2
更新:applicationSecurity.xml:
logout logout-url="/logout" logout-success-url="/login" />
更新2:在异常之前进行调试:
DEBUG [http-bio-8080-exec-1] (PrePostAnnotationSecurityMetadataSource.java:93) - @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('add_user')) found on specific method: public void com.myapp.service.impl.UserServiceImpl.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException
DEBUG [http-bio-8080-exec-1] (DelegatingMethodSecurityMetadataSource.java:66) - Adding security method [CacheKey[com.myapp.service.impl.UserServiceImpl; public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException]] with attributes [[authorize: 'hasRole('add_user')',filter: 'null',filterTarget: 'null']]
DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:191) - Secure object: ReflectiveMethodInvocation: public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException; target is of class [com.myapp.service.impl.UserServiceImpl]; Attributes: [[authorize: 'hasRole('add_user')',filterTarget: 'null']]
DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:292) - PrevIoUsly Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c650d918: Principal: org.springframework.security.core.userdetails.User@db344023: Username: user@mycomp.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: access_viewUsers; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E6BBAC0CD4499B1455227DC6035CC882; Granted Authorities: access_viewUsers
DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@1d1e082e,returned: -1
DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.RoleVoter@1eab12f1,returned: 0
DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.AuthenticatedVoter@71689bf1,returned: 0
最佳答案
根据spring Security文档,该元素的access-denied-page属性的用户已在Spring 3.0及更高版本中弃用.
我们在应用程序中执行以下操作:
>通过扩展Spring Security框架的AccessDeniedHandlerImpl来创建自定义访问被拒绝处理程序.
>调用setErrorPage方法,传入将显示拒绝访问页面的控制器名称
>在我们的例子中,我们将用户的帐户锁定在自定义处理程序中 – 没有任何理由让任何用户获得访问被拒绝的异常,除非他们正在做他们不应该做的事情.我们还记录了他们试图访问的内容等.
>调用super.handle(_request,_response,_exception);在处理程序的末尾. Spring会将控制权转发给上面#2中列出的控制器.
public class AccessDeniedHandlerApp extends AccessDeniedHandlerImpl {
private static Logger logger = Logger.getLogger(AccessDeniedHandlerApp.class);
private static final String LOG_TEMPLATE = "AccessDeniedHandlerApp: User attempted to access a resource for which they do not have permission. User %s attempted to access %s";
@Override
public void handle(HttpServletRequest _request,HttpServletResponse _response,AccessDeniedException _exception) throws IOException,ServletException {
setErrorPage("/securityAccessDenied"); // this is a standard Spring MVC Controller
// any time a user tries to access a part of the application that they do not have rights to lock their account
}
这是我的XML:AccessDeniedHandlerApp扩展了’AccessDeniedHandlerImpl`
logout logout-success-url="/home" />
这是我的访问拒绝控制器 – 我应该早点发布 – 抱歉.为了让访问被拒绝的页面出现,我不得不使用重定向:
@Controller
public class AccessDeniedController {
private static Logger logger = Logger.getLogger(AccessDeniedController.class);
@RequestMapping(value = "/securityAccessDenied")
public String processAccessDeniedException(){
logger.info("Access Denied Handler");
return "redirect:/securityAccessDeniedView";
}
@RequestMapping(value = "/securityAccessDeniedView")
public String displayAccessDeniedView(){
logger.info("Access Denied View");
return "/SecurityAccessDenied";
}
请告诉我,如果这不能解决它,我将继续挖掘 – 我只是在本地再次测试它,这应该做的伎俩.
}
