Spring @ExceptionHandler不捕获AccessDeniedException [英] Spring @ExceptionHandler does not catch AccessDeniedException
问题描述
我有一个使用以下代码设置的异常处理程序
@ExceptionHandler(Throwable.class)
public @ResponseBody CustomResponse handleException(Throwable throwable){
//处理异常,返回JSON
}
我使用的是Spring Security 3.1。当我尝试在没有身份验证的情况下执行操作时,应用程序会抛出AccessDeniedException。它永远不会出现在这种方法中。但与其他例外情况一起工作正常这是应该工作的方式吗?或者我的代码有问题吗?
这个看起来像一个解决方案。但如果我能在单点处理异常会更好。
这是我的配置文件
< global-method-security secured-annotations =enabledpre-post-annotations =enabled/>
< http auto-config =trueuse-expressions =true>
//拦截网址
< form-login login-page =/ signindefault-target-url =/always-use-default-target =true/>
< / http>
< authentication-manager>
< authentication-provider user-service-ref =userDetailsService>
< password-encoder ref =encoder/>
< / authentication-provider>
< / authentication-manager>
<! - 此编码器不需要盐 - >
< beans:bean id =encoderclass =org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder/>
更新
此处用户未经过身份验证(ROLE_ANONYMOUS)。当我尝试访问受保护的页面时,它会将我重定向到登录URL。我的问题在于,我进行了一次AJAX调用。因此,重定向到返回ModelAndView的方法不起作用。这里有解决方法吗?
在调度调度程序servlet之前,Spring Security的请求处理全部发生在过滤器链中,所以它对Spring MVC异常处理程序一无所知,实际上可以在没有Spring MVC的情况下使用。
你看到的是预期的行为,但您不希望使用Ajax调用被重定向到UI代码。很难确切地说出最佳解决方案是什么,因为对于未经身份验证的ajax调用,您希望行为不明显。例如,如果您希望它们仅使用403失败,那么您可以将ajax api分离为单独的过滤器链。例如,如果你的ajax调用是 / ajaxapi
可以在现有的之前添加以下链定义:
< http pattern =/ ajaxapi / **create-session =neveruse-expressions =trueentry-point-ref =entryPoint>
< intercept-url pattern =/ **access =isAuthenticated()/>
< / http>
< bean entryPoint =org.springframework.security.web.authentication.Http403ForbiddenEntryPoint/>
ajax调用只会获得403响应,直到用户通过浏览器界面进行身份验证。 / p>
I have an exception handler set up with the following code
@ExceptionHandler(Throwable.class)
public @ResponseBody CustomResponse handleException(Throwable throwable){
// handles exception, returns a JSON
}
I am using Spring Security 3.1. When I try to do an operation without authentication, the application throws an AccessDeniedException. It never comes to this method. But works fine with other exceptions. Is it the way it is supposed to work?? Or is there something wrong with my code?
This looks like a solution. But it would be better if I can handle exceptions at a single point.
Here is my configuration file
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<http auto-config="true" use-expressions="true">
//intercept urls
<form-login login-page="/signin" default-target-url="/" always-use-default-target="true"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager>
<!-- This encoder doesn't require a salt -->
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
UPDATE
Here the user isn't authenticated (ROLE_ANONYMOUS). When I try to access a protected page, it redirects me to the login URL. My problem here is that, I make an AJAX call. So redirecting to a method that returns ModelAndView doesn't work. Is there a work around here?
Spring Security's request handling all takes place in the filter chain, before the dispatcher servlet is invoked, so it doesn't know anything about Spring MVC exception handlers and in fact can be used without Spring MVC at all.
What you are seeing is expected behaviour for an unauthenticated user, but you don't want your Ajax calls to be redirected to UI code. It's difficult to say exactly what the best solution is since it's not obvious what you want the behaviour to be for an unauthenticated ajax call. If you want them to simply fail with a 403, for example, then you can separate the ajax api into a separate filter chain. For example, if your ajax calls are to /ajaxapi
could add the following chain definition before the existing one:
<http pattern="/ajaxapi/**" create-session="never" use-expressions="true" entry-point-ref="entryPoint">
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<bean entryPoint="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
The ajax calls would all then just get a 403 response until a user authenticated via the browser interface.
这篇关于Spring @ExceptionHandler不捕获AccessDeniedException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!