Spring @ExceptionHandler没有捕获AccessDeniedException
[英]Spring @ExceptionHandler does not catch AccessDeniedException
问题描述
I have an exception handler set up with the following code 
我有一个使用以下代码设置的异常处理程序
@ExceptionHandler(Throwable.class)
public @ResponseBody CustomResponse handleException(Throwable throwable){
// handles exception, returns a JSON
}
I am using Spring Security 3.1. 我正在使用Spring Security 3.1。 When I try to do an operation without authentication, the application throws an AccessDeniedException. 当我尝试在没有身份验证的情况下执行操作时,应用程序会抛出AccessDeniedException。 It never comes to this method. 它永远不会出现这种方法。 But works fine with other exceptions. 但其他例外可以正常工作。 Is it the way it is supposed to work?? 这是应该工作的方式吗? Or is there something wrong with my code? 或者我的代码有问题吗?
This looks like a solution. 这看起来像一个解决方案。 But it would be better if I can handle exceptions at a single point. 但如果我能在一个点处理异常会更好。
Here is my configuration file 这是我的配置文件
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
<http auto-config="true" use-expressions="true">
//intercept urls
<form-login login-page="/signin" default-target-url="/" always-use-default-target="true"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager>
<!-- This encoder doesn't require a salt -->
<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
UPDATE UPDATE
Here the user isn't authenticated (ROLE_ANONYMOUS). 这里用户未经过身份验证(ROLE_ANONYMOUS)。 When I try to access a protected page, it redirects me to the login URL. 当我尝试访问受保护的页面时,它会将我重定向到登录URL。 My problem here is that, I make an AJAX call. 我的问题在于,我进行了一次AJAX调用。 So redirecting to a method that returns ModelAndView doesn't work. 因此,重定向到返回ModelAndView的方法不起作用。 Is there a work around here? 这附近有工作吗?
2 个解决方案
解决方案1
9 已采纳 2013-01-20 15:01:49
Spring Security's request handling all takes place in the filter chain, before the dispatcher servlet is invoked, so it doesn't know anything about Spring MVC exception handlers and in fact can be used without Spring MVC at all. 在调度调度程序servlet之前,Spring Security的请求处理全部发生在过滤器链中,因此它对Spring MVC异常处理程序一无所知,实际上可以在没有Spring MVC的情况下使用它。
What you are seeing is expected behaviour for an unauthenticated user, but you don't want your Ajax calls to be redirected to UI code. 您所看到的是未经身份验证的用户的预期行为 ,但您不希望将Ajax调用重定向到UI代码。 It's difficult to say exactly what the best solution is since it's not obvious what you want the behaviour to be for an unauthenticated ajax call. 很难确切地说出最佳解决方案是什么,因为对于未经身份验证的ajax调用,您想要的行为并不明显。 If you want them to simply fail with a 403, for example, then you can separate the ajax api into a separate filter chain. 例如,如果您希望它们仅使用403失败,那么您可以将ajax api分离为单独的过滤器链。 For example, if your ajax calls are to /ajaxapi could add the following chain definition before the existing one: 例如,如果你的ajax调用是/ajaxapi可以在现有的之前添加以下链定义:
<http pattern="/ajaxapi/**" create-session="never" use-expressions="true" entry-point-ref="entryPoint">
<intercept-url pattern="/**" access="isAuthenticated()" />
</http>
<bean entryPoint="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
The ajax calls would all then just get a 403 response until a user authenticated via the browser interface. 然后,ajax调用只会获得403响应,直到用户通过浏览器界面进行身份验证。
解决方案2
1 2013-01-20 11:45:49
I guess you defined a <access-denied-handler> in your spring security configuration. 我猜你在spring安全配置中定义了一个<access-denied-handler> 。 This handler is catching the AccessDeniedException . 此处理程序正在捕获AccessDeniedException 。 That's probably why you don't get it in your generic ExceptionHandler . 这可能就是为什么你没有在你的通用ExceptionHandler得到它。
There is a default AccessDeniedHandler (comes with the default spring security setup). 有一个默认的AccessDeniedHandler(默认的弹簧安全设置)。 Please read this for more details. 请阅读此内容以获取更多详情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.