首先编写自定的AccessDeniedHandler,代码如下:
public class MyAccessDeniedHandler implements AccessDeniedHandler{
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
// TODO Auto-generated method stub
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html;charset=utf-8");
ObjectMapper mapper = new ObjectMapper();
String result= mapper.writeValueAsString(new JsonResult(ResultCode.USER_NO_PERMISSION,ResultCode.USER_NO_PERMISSION.msg()));
response.getWriter().print(result);
}
}
目的:当用户访问了不属于自己权限的访问路径的时候,返回json格式的异常错误提示代码
下一步:在继承了WebSecurityConfigurerAdapter的类中添加相应的配置,配置如下:
@Override
protected void configure(HttpSecurity http) throws Exception {
// TODO Auto-generated method stub
System.out.println(deniedHandler);
http.authorizeRequests().antMatchers("/login/**").permitAll().anyRequest().authenticated().and().formLogin()// .loginPage("/login")
.successHandler(successHandler).failureHandler(failureHandler).and()
.exceptionHandling().authenticationEntryPoint(entryPoint)// json提示用户没有登录不需要用户跳转到登录页面去
.accessDeniedHandler(deniedHandler)// 权限拦截器,提示用户没有当前权限
.and().csrf().disable();
}
然后开开心心的重启服务,等待实验结果:
结果,不管怎么样都不能返回之前定义MyAccessDeniedHandler类中所期待的结果
最后发现:配置,代码都没问题,问题出现在之前定义好的异常统一处理类中,看下边的代码:
@RestControllerAdvice
public class ControllerExceptionAdvice {
@ResponseBody
@ExceptionHandler(java.lang.Exception.class)
public JsonResult handleRE(Exception ex){
System.out.println(ex.getMessage());
return new JsonResult(ResultCode.EXCEPTION, ResultCode.EXCEPTION.msg());
}
在这个位置,Exception捕获了我们所期待的AccessDeniedException,导致每次其实返回的是@ExceptionHandler中返回的结果,而不是我们希望提示的ResultCode.USER_NO_PERMISSION.msg()里边的类容
也就说这个异常被Exception抓捕了(但是其他异常都是spring security自己抛出,没有被这个位置的处理类统一处理了)
最后只能在这个异常处理类中添加下面代码:
@ResponseBody
@ExceptionHandler(AccessDeniedException.class)
public JsonResult handleAccessRE(AccessDeniedException ex){
System.out.println(ex.getMessage());
return new JsonResult(ResultCode.USER_NO_PERMISSION, ResultCode.USER_NO_PERMISSION.msg());
}
我们手工在这里捕获AccessDeniedException 异常,免得被Exception捕获了,实验最终返回了如下数据:
{"success":"2008","message":"当前用户没有权限,请联系管理员","data":null}
实验完成