缺少角色的Spring Security Access拒绝日志记录 [英] Spring Security Access Denied logging with missing role

问题描述

是否有针对Spring Security中拒绝访问记录的开箱即用解决方案. 我想要的基本上是显示用户遇到拒绝访问异常时缺少哪个角色.

Is there an out of the box solution for a access denied logging in spring security. What I want is basically show which role the user is missing when he gets the access denied exception.

如果没有，我必须走自己的accesssDeniedHandler的道路，我如何访问在该控制器上配置的角色，该角色抛出了访问被拒绝的异常.

If not, and I have to go down the path of having my own accesssDeniedHandler, how can I access the role configured on that controller which throwed access denied exception.

谢谢！

推荐答案

不，没有开箱即用的缺少角色"的概念.

No, there is no concept of "missing roles" out of the box.

拒绝访问事件是通过Spring的标准事件机制发布的，您可以使用ApplicationListener订阅这些事件，但是没有假设访问决策完全基于Spring Security中的角色.为此，您需要自定义AccessDecisionManager实现以记录有关其如何做出特定决定的信息.

Access denied events are published through Spring's standard event mechanism and you can use an ApplicationListener to subscribe to these, but there is no assumption that an access decision is purely based on roles in Spring Security. To achieve that, you would need to customize the AccessDecisionManager implementation to log information on how it arrived at a particular decision.

在这种情况下，AccessDeniedHandler并不重要.

The AccessDeniedHandler isn't really relevant in this case.

这篇关于缺少角色的Spring Security Access拒绝日志记录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！