在Spring Security中,如果未经授权的用户尝试访问受保护的页面,则会显示默认的“ http 403访问被拒绝 ”:
在本教程中,我们将向您展示如何在Spring Security中自定义403访问拒绝页面。
1. Spring安全配置
查看配置,如果“ alex”尝试访问/admin
页面,则会显示以上403访问被拒绝页面。
<http auto-config="true">
<access-denied-handler error-page="/403" />
<intercept-url pattern="/admin**" access="ROLE_ADMIN" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="alex" password="123456" authorities="ROLE_USER" />
<user name="mkyong" password="123456" authorities="ROLE_USER, ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
2.解决方案–自定义403页面
2.1创建一个新的403页面。
<html>
<body>
<h1>HTTP Status 403 - Access is denied</h1>
<h2>${msg}</h2>
</body>
</html>
2.2。 要显示以上页面,请添加一个error-page
,如下所示:
<http auto-config="true">
<access-denied-handler error-page="/403" />
<intercept-url pattern="/admin**" access="ROLE_ADMIN" />
</http>
2.3在控制器类中,为“ / 403” url添加一个映射:
package com.mkyong.web.controller;
import java.security.Principal;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class HelloController {
// for 403 access denied page
@RequestMapping(value = "/403", method = RequestMethod.GET)
public ModelAndView accesssDenied(Principal user) {
ModelAndView model = new ModelAndView();
if (user != null) {
model.addObject("msg", "Hi " + user.getName()
+ ", you do not have permission to access this page!");
} else {
model.addObject("msg",
"You do not have permission to access this page!");
}
model.setViewName("403");
return model;
}
}
做完了
对于注释用户,请使用此.exceptionHandling().accessDeniedPage("/403")
。
package com.mkyong.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
.and().formLogin()
.loginPage("/login").failureUrl("/login?error")
.usernameParameter("username")
.passwordParameter("password")
.and().logout().logoutSuccessUrl("/login?logout")
.and()
.exceptionHandling().accessDeniedPage("/403")
}
}
3. AccessDeniedHandler
另外,您可以创建一个自定义AccessDeniedHandler
以在将URL传递到/403
映射之前执行一些业务逻辑。
package com.mkyong.web.exception;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
public class MyAccessDeniedHandler implements AccessDeniedHandler {
private String errorPage;
public MyAccessDeniedHandler() {
}
public MyAccessDeniedHandler(String errorPage) {
this.errorPage = errorPage;
}
public String getErrorPage() {
return errorPage;
}
public void setErrorPage(String errorPage) {
this.errorPage = errorPage;
}
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException)
throws IOException, ServletException {
//do some business logic, then redirect to errorPage url
response.sendRedirect(errorPage);
}
}
将ref
添加到http标签。
<http auto-config="true">
<access-denied-handler ref="my403" />
<intercept-url pattern="/admin**" access="ROLE_ADMIN" />
</http>
<beans:bean id="my403"
class="com.mkyong.web.exception.MyAccessDeniedHandler">
<beans:property name="errorPage" value="403" />
</beans:bean>
做完了
4.演示
当“ alex”尝试访问/admin
页面时,将显示以上自定义403访问被拒绝的页面。
4.1如果使用error-page
,URL将显示如下:
http:// localhost:8080 / spring-security-403-access-denied / admin
4.2如果使用自定义访问拒绝处理程序ref
,则将显示如下网址:
http:// localhost:8080 / spring-security-403-access-denied / 403
下载源代码
下载它– spring-security-403-access-denied.zip (26 KB)
参考文献
翻译自: https://mkyong.com/spring-security/customize-http-403-access-denied-page-in-spring-security/