一:异常体系
Spring Security中异常主要分为两大类:
- AuthenticationException:认证异常
- AccessDeniedException:授权异常
其中认证所涉及的异常类型比较多,默认有18种,如下:
相比于认证异常,权限异常类就要少了很多,默认提供的权限异常如下:
二:自定义异常配置
在实际开发中,默认异常是无法满足需求的,需要大量的自定义异常类,Spring Security提供了两个方法来配置:
- authenticationEntryPoint():认证自定义异常
- accessDeniedHandler():授权自定义异常
至于这两个方法怎么使用,我们可以进入源码看看
首先是authenticationEntryPoint()
,可以看到,该方法要求我们传入AuthenticationEntryPoint的对象
public ExceptionHandlingConfigurer<H> authenticationEntryPoint(
AuthenticationEntryPoint authenticationEntryPoint) {
this.authenticationEntryPoint = authenticationEntryPoint;
return this;
}
进入AuthenticationEntryPoint接口,可以看到只有一个方法,因此在authenticationEntryPoint方法中可以直接传入Lambda表达式,但那样写不美观,配置与实现应该分离,因此我们可以新建一个类去实现这个接口
public interface AuthenticationEntryPoint {
/**
* 处理认证访问相关异常
* @param request 导致AuthenticationException的请求
* @param response 响应
* @param authException 异常信息
*/
void commence(HttpServletRequest request, HttpServletResponse response,
AuthenticationException authException) throws IOException, ServletException;
}
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
Map<String, Object> result = new HashMap<>();
result.put("code", 400);
result.put("msg", authException.getMessage());
response.setContentType("application/json;charset=UTF-8");
String s = new ObjectMapper().writeValueAsString(result);
response.getWriter().println(s);
}
}
accessDeniedHandler()
方法同理,其源码如下:
public ExceptionHandlingConfigurer<H> accessDeniedHandler(
AccessDeniedHandler accessDeniedHandler) {
this.accessDeniedHandler = accessDeniedHandler;
return this;
}
进入AccessDeniedHandler接口:
public interface AccessDeniedHandler {
/**
* 处理权限访问相关异常
* @param request 导致AccessDeniedException的请求
* @param response 响应
* @param accessDeniedException 异常信息
*/
void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException,
ServletException;
}
因此我们可以这样实现:
public class CustomAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
Map<String, Object> result = new HashMap<>();
result.put("code", 400);
result.put("msg", accessDeniedException.getMessage());
response.setContentType("application/json;charset=UTF-8");
String s = new ObjectMapper().writeValueAsString(result);
response.getWriter().println(s);
}
}
最后再在configure中将自定义处理配置进去:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.mvcMatchers("/hello1").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.successHandler(new CustomAuthenticationSuccessHandler())
.failureHandler(new CustomAuthenticationFailureHandler())
.and()
.logout()
.logoutSuccessHandler(new CustomLogoutSuccessHandler())
// 异常处理
.and()
.exceptionHandling()
.authenticationEntryPoint(new CustomAuthenticationEntryPoint()) // 认证异常
.accessDeniedHandler(new CustomAccessDeniedHandler()) // 授权异常;
}
如果有兴趣了解更多相关内容,欢迎来我的个人网站看看:瞳孔的个人网站