春季安全性,受限文件夹中的404错误应为401或403 [英] Spring-security, 404 errors should be 401 or 403 in restricted folder
问题描述
我在spring-security.xml中具有以下配置:
I have this configuration in spring-security.xml :
<http
create-session="stateless"
realm="Protected API"
auto-config="true"
use-expressions="true">
<intercept-url pattern="/**" access="permitAll" />
<intercept-url pattern="/api/auth/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/api/auth/admin/**" access="hasRole('ROLE_ADMIN')" />
<http-basic/>
</http>
因此任何用户都可以访问/api/mypublicservice1 .注册用户可以访问/api/auth/userservice2 .而且只有管理员有权访问/api/auth/admin/adminservice3 .很好.
So any user can access to /api/mypublicservice1. Registered users can access to /api/auth/userservice2. And only admins have access to /api/auth/admin/adminservice3. That's working.
但是我想要一种更好的方法来将404请求处理到受限制的文件夹中.
But I want a better way to handle 404 requests into restricted folders.
例如:
- 对于匿名用户,/api/auth/userservice2 返回 401
- 对于匿名用户,/api/auth/thispagedoesntexist 返回404;相反,它应该返回 401
- 对于非管理员用户,/api/auth/admin/adminservice3 返回 401
- 对于非管理员用户,/api/auth/admin/thispagedoesntexist 返回404;相反,它应该返回 403
- For an anonymous user, /api/auth/userservice2 returns 401
- For an anonymous user, /api/auth/thispagedoesntexist returns 404 ; instead it should return 401
- For a non-admin user, /api/auth/admin/adminservice3 returns 401
- For a non-admin user, /api/auth/admin/thispagedoesntexist returns 404 ; instead it should return 403
当非授权用户尝试将不存在的页面访问到受限制的文件夹中时,如何返回正确的身份验证代码(401/403)?自定义过滤器? HandlerExceptionResolver吗?
How can I return the proper authentication code (401/403), when a non-authorized user try to access an non-existing page into a restricted folder ? Custom filter ? HandlerExceptionResolver ?
推荐答案
卢克·泰勒指出,我的拦截URL顺序错误:
As pointed out by Luke Taylor , my intercept-url are in the wrong order :
<http
create-session="stateless"
realm="Protected API"
use-expressions="true">
<intercept-url pattern="/api/auth/admin/**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/api/auth/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/**" access="permitAll" />
<http-basic/>
</http>
这篇关于春季安全性,受限文件夹中的404错误应为401或403的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!