Spring Boot:accessDeniedHandler 不起作用 [英] Spring Boot: accessDeniedHandler does not work

问题描述

我有以下 Spring Security 配置:

I've got the following Spring Security configuration:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/api/private/**", "/app/**").authenticated();
        http.csrf().disable();
        http.logout().logoutSuccessUrl("/");
        http.exceptionHandling().accessDeniedPage("/403"); //.accessDeniedHandler(accessDeniedHandler);
    }
}

我期望以下逻辑:未通过身份验证的用户将被重定向到 /403.而不是 Spring 显示默认的 Tomcat 403 页面.我也尝试过自定义 accessDeniedHandler 并没有成功.

I expect the following logic: not authenticated users will be redirected to /403. Instead of that Spring displays a default Tomcat 403 page. I also tried custom accessDeniedHandler withough any success.

如何在访问失败时实现自定义逻辑?

How can I implement custom logic on access failure?

推荐答案

AccessDeniedHandler 仅适用于经过身份验证的用户.未经身份验证的用户的默认行为是重定向到登录页面(或任何适用于正在使用的身份验证机制的页面).

The AccessDeniedHandler only applies to authenticated users. The default behaviour for unauthenticated users is to redirect to the login page (or whatever is appropriate for the authentication mechanism in use).

如果你想改变它，你需要配置一个 AuthenticationEntryPoint，当未经身份验证的用户尝试访问受保护的资源时会调用它.你应该可以使用

If you want to change that you need to configure an AuthenticationEntryPoint, which is invoked when an unauthenticated user attempts to access a protected resource. You should be able to use

http.exceptionHandling().authenticationEntryPoint(...)

而不是你所拥有的.有关更多详细信息，请查看 API 文档.

instead of what you have. For more details, check the API docs.

这篇关于Spring Boot:accessDeniedHandler 不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！