如何使用Spring Security 3.0.x处理HTTP 403 [英] How to handle HTTP 403 with Spring Security 3.0.x

问题描述

我在使用Spring Security 3.0.x时遇到了一个小问题(目前特别是3.0.2).我正在处理的整个应用程序都可以正常运行，除非没有权限的人尝试登录.

I'm facing a little issue with Spring Security 3.0.x (3.0.2 in particular at the moment). The whole application I'm working on is working perfectly except when someone who doesn't have the authorities tries to log on.

发生这种情况时，用户将被重定向到欢迎"页面，因为他的用户名/密码有效，并且他收到一个可爱的白页，上面显示:错误403:访问被拒绝"

When it occurs, the users is redirected to the "welcome" page, since his username/password are valid, and he receive a cute white page with this : "Error 403: Access is denied"

因此，我一直在网上寻找试图解决此行为的方法.到目前为止，我已经得出结论了，如果我错了，请纠正我，它是由

So, I've been looking on the net trying to find how this behavior can be handled. So far I've come to the conclusion, please correct me if I'm wrong, that it is managed by the ExceptionTranslationFilter. But I don't quite understand how to make any good use of this information.

我尝试编辑SecurityContext.xml，以在 http 标记中添加 access-denied-handler 标记，但是它不起作用.我是否需要添加超过此标签的标签才能使其正常工作?还有其他可能使我的应用程序更加用户友好吗?

I've tryied to edit my SecurityContext.xml to add a access-denied-handler tag to my http tag, but it doesn't work. Do I need to add more than this tag to make it work? Is there any other possibilities to make my application more user-friendly?

编辑:例如，我想重定向到页面，例如403.html.

Edit : I would like to redirect to a page, let's says 403.html, for example.

很高兴，
谢谢

Sincerly,
Thanks

推荐答案

我已经找到了解决方法.通过实现

I've found how to do this. By implementing the AccessDeniedHandler interface and the corresponding handle method I can, easily, control the way the Http 403 error is handled.

这样，您可以在会话中添加各种项目，然后在jsp上拦截它们.

This way, you can add various items in the session and then intercept them on your jsp.

xml文件如下所示:

The xml file then looks like this :

<sec:http>
    <!-- lots of urls here -->
    <sec:access-denied-handler ref="accessDeniedHandler" />
    <sec:anonymous/>
</sec:http>

<bean id="accessDeniedHandler" class="foo.bar.CustomAccessDeniedHandler">
    <property name="accessDeniedUrl" value="403.html" />
</bean>

java类:

package foo.bar;
public class CustomAccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler {
private String accessDeniedUrl;

    public CustomAccessDeniedHandler() {
    }

    public CustomAccessDeniedHandler(String accessDeniedUrl) {
        this.accessDeniedUrl = accessDeniedUrl;
    }

    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        response.sendRedirect(accessDeniedUrl);
        request.getSession().setAttribute("CustomSessionAttribute", "value here");
    }

    public String getAccessDeniedUrl() {
        return accessDeniedUrl;
    }

    public void setAccessDeniedUrl(String accessDeniedUrl) {
        this.accessDeniedUrl = accessDeniedUrl;
    }
}

还有一个jsp示例:

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <c:if test="${!empty CustomSessionAttribute}">
    <br/>
    ACCESS IS DENIED
    <br/>
 </c:if>
<!-- other stuff down here -->

这篇关于如何使用Spring Security 3.0.x处理HTTP 403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！