春季启动:accessDeniedHandler不起作用 [英] Spring Boot: accessDeniedHandler does not work

问题描述

我具有以下Spring Security配置:

I've got the following Spring Security configuration:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/api/private/**", "/app/**").authenticated();
        http.csrf().disable();
        http.logout().logoutSuccessUrl("/");
        http.exceptionHandling().accessDeniedPage("/403"); //.accessDeniedHandler(accessDeniedHandler);
    }
}

我期望以下逻辑:未经身份验证的用户将被重定向到/403. Spring会显示默认的Tomcat 403页面，而不是该页面.我也尝试了自定义accessDeniedHandler，但没有成功.

I expect the following logic: not authenticated users will be redirected to /403. Instead of that Spring displays a default Tomcat 403 page. I also tried custom accessDeniedHandler withough any success.

如何在访问失败时实施自定义逻辑?

How can I implement custom logic on access failure?

推荐答案

AccessDeniedHandler仅适用于经过身份验证的用户.未经身份验证的用户的默认行为是重定向到登录页面(或适用于所使用身份验证机制的任何内容).

The AccessDeniedHandler only applies to authenticated users. The default behaviour for unauthenticated users is to redirect to the login page (or whatever is appropriate for the authentication mechanism in use).

如果要更改，则需要配置AuthenticationEntryPoint，当未经身份验证的用户尝试访问受保护的资源时将调用该AuthenticationEntryPoint.您应该可以使用

If you want to change that you need to configure an AuthenticationEntryPoint, which is invoked when an unauthenticated user attempts to access a protected resource. You should be able to use

http.exceptionHandling().authenticationEntryPoint(...)

而不是您拥有的.有关更多详细信息，请检查

instead of what you have. For more details, check the API docs.

这篇关于春季启动:accessDeniedHandler不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！