堆栈内存溢出
  简体   繁体   English

Spring Security Access Denied会产生HTTP 405

[英]Spring Security Access Denied Yields HTTP 405

 原文  2019-04-09 08:13:13       java/ spring-mvc/ spring-security

问题描述

I have a spring web app that using customized AccessDecisionVoter. 我有一个使用自定义AccessDecisionVoter的春季网络应用程序。 This customized decision voter will find the required permission to access a URL, and then check if the login user have granted the required permission. 此自定义决策选民将找到访问URL所需的权限,然后检查登录用户是否已授予所需权限。

If the login user don't have the required permission granted, then this customized decision voter shall return ACCESS_DENIED, otherwise it shall return ACCESS_GRANTED. 如果登录用户没有授予所需的权限,则此自定义决策选举者应返回ACCESS_DENIED,否则返回ACCESS_GRANTED。

The problem now is: when a user try to access the a URL that he don't have permission granted, the app server a HTTP 405. Note that when user access the URL via GET method (eg enter the URL into browser address bar), he will get HTTP 403. The HTTP 405 occur only only POST method. 现在的问题是:当用户尝试访问他没有授予权限的URL时,应用服务器是HTTP 405.请注意,当用户通过GET方法访问URL时(例如,将URL输入浏览器地址栏) ,他将获得HTTP 403.HTTP 405仅发生POST方法。 Take note that my spring-mvc controller doesn't restrict the HTTP method. 请注意,我的spring-mvc控制器不限制HTTP方法。

I confirm that the decision voter is returning ACCESS_DENIED (-1), based on my log file. 我确认决定选民正在根据我的日志文件返回ACCESS_DENIED(-1)。 Somehow my browser just received a HTTP 405. 不知何故,我的浏览器刚收到HTTP 405。

I am using spring-security 5.0.1 我使用的是spring-security 5.0.1

Below are my codes: 以下是我的代码:

my customized decision voter: 我的定制决定选民: 

@Override
public int vote(Authentication authentication, Object object, Collection securityConfigs) {
    logger.debug("Authorization in progress");
    if (authentication == null) {
        logger.info("No authentication. Access Denied.");
        return ACCESS_DENIED;
    }

    if (securityConfigs.size() == 0) {
        logger.info("No matching Page Config found for the given URL. Access Denied.");
        return ACCESS_DENIED;
    }

    int result = ACCESS_ABSTAIN;
    Set<String> authorities = extractAuthorities(authentication);

    String username = authentication.getName().toUpperCase();
    logger.debug("authentication.getName() = " + username);

    for (Object configObject : securityConfigs) {
        SecurityConfig config = (SecurityConfig) configObject;
        if (this.supports(config.getAttribute())) {
            result = ACCESS_DENIED;
            String attributeUpperCase = config.getAttribute().toUpperCase();
            logger.debug("config attribute = " + attributeUpperCase);

            if (authorities.contains(attributeUpperCase)) {
                logger.info("The request url has config attribute that matches the login user's granted Master Function Code. Access Granted. The matching config attribute = " + attributeUpperCase);
                return ACCESS_GRANTED;
            }
        }
    }

    logger.info("Voting Result from DaxVoter = " + result);

    return result;
}

My Controller: 我的控制器: 

@ResponseBody
@RequestMapping(value ="/road/retrieveRoad.do")
public Map<String, Object> retrieveRoad(HttpServletRequest request, @RequestBody DataParamsBean dataParams) {
    logger.info("CommonSupportCtrl | retrieveRoad | Start"); 
    Map<String, Object> resultMap = new HashMap<String, Object>();

    int start = dataParams.getSkip();
    int limit = (dataParams.getTake() == 0) ? 10 : (int) dataParams.getTake();
    String sortBy = (dataParams.getSorted() == null) ? null : (String) dataParams.getSorted().get(0).get("name");
    String sortDirection = (dataParams.getSorted() == null) ? null : (String) dataParams.getSorted().get(0).get("direction");
    String roadCode = dataParams.getParams().get("id") == null ? null : (String) dataParams.getParams().get("id");
    String roadName = dataParams.getParams().get("roadName") == null ? null : (String) dataParams.getParams().get("roadName");

    if(sortDirection != null) {
        if(sortDirection.equalsIgnoreCase("ascending")) {
            sortDirection = "asc";
        } else {
            sortDirection = "desc";
        }
    }

    GenericSearchResults<RoadBean> searchResults = commonSupportService.retrieveRoadByCriteria(roadName, roadCode, start, limit,
            sortBy, sortDirection);

    resultMap.put("result", searchResults.getResult());
    resultMap.put("count", searchResults.getCount());

    logger.info("CommonSupportCtrl | retrieveRoad | End"); 
    return resultMap;
}

1 个解决方案

解决方案1
 0 已采纳  2019-04-11 04:57:05

I managed to resolved it. 我设法解决了它。 Its actually due to the that I have configured in the web.xml. 它实际上是由于我在web.xml中配置的。 I resolve it by changing my error pages from .htm to .jsp instead, just changing the file format, without changing the content at all. 我通过将错误页面从.htm更改为.jsp来解决它,只需更改文件格式,而不更改内容。 So I assume the .htm just can NOT support POST method, while the .jsp can. 所以我假设.htm不能支持POST方法,而.jsp可以。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 HTTP状态403 - 拒绝访问Spring安全性 - HTTP Status 403 - Access is denied Spring security spring 安全 HTTP 状态 403 - 访问被拒绝 - spring security HTTP Status 403 - Access Denied Spring Security OAuth-访问被拒绝 - Spring Security OAuth - Access is denied Spring Security:身份验证导致 HTTP 405“不允许方法” - Spring Security: Authentication results in HTTP 405 "Method not allowed" Spring 安全 HTTP POSTMAN - 登录 - 状态 405 - 不允许的方法 - Spring Security HTTP POSTMAN - Login - Status 405 - Method Not Allowed 403访问每次都拒绝Spring Security - 403 access denied Spring Security everytime spring security - 拒绝访问处理程序 - spring security - access-denied-handler Spring Security访问被拒绝角色或还有什么? - Spring Security access denied roles or what else? 尝试重定向“访问被拒绝”时出现Spring Security错误 - Spring Security error on try redirect “Access is Denied” Spring security 拒绝访问 /actuator/health - Spring security gives access denied on /actuator/health
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM