stackoom
  简体   繁体   中英

Redirect to Login page or give 403 error based on requested URL

 原文  2019-06-04 21:27:47       java/ spring-boot/ spring-mvc/ spring-security

Question

I have an app made with Spring boot using security. This app use MVC to show some pages and also use some rest interfaces for update/get objects.

Right now, every request I make without being logged in, i'm redirected to the /login page.

That's working as intented when I try to access from the web browser. But I want the app to react different when I try to access some particular path from the page, for example "/api/customers".

If I try to access to that path, I want to drop HTTP 403 error, not redirect to the login page.

This is my Security configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.headers()
            .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN);

    http.authorizeRequests()
            .antMatchers("/js/**", "/img/**")
            .permitAll()
            .antMatchers("/**").authenticated()
            .and()
            .csrf().disable()
            .formLogin()
            .loginPage("/login")
            .usernameParameter("email")
            .passwordParameter("password")
            .and()
            .logout()
            .logoutUrl("/logout")
            .logoutSuccessUrl("/login?logged-out")
            .and()
            .exceptionHandling()
            .accessDeniedPage("/access-denied")

    ;
}

Is this posible?

2 answers

solution1
 0  2019-06-05 07:24:01

You can create a custom AuthenticationEntryPoint:

https://docs.spring.io/spring-security/site/docs/4.0.4.RELEASE/reference/htmlsingle/#auth-entry-point

The AuthenticationEntryPoint will be called if the user requests a secure HTTP resource but they are not authenticated. An appropriate AuthenticationException or AccessDeniedException will be thrown by a security interceptor further down the call stack, triggering the commence method on the entry point. This does the job of presenting the appropriate response to the user so that authentication can begin.

@Component
public class Http401UnauthorizedEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, 
                               AuthenticationException ex)
            throws IOException, ServletException {

        boolean somePath = request.getServletPath().equals("/somePath");

        if(somePath){
            response.sendError(SC_FORBIDDEN, "Access Denied");
        }
        else{
            response.sendRedirect("/login");
        }
    }
}

and register it with the Framework:

http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint)

solution2
 0  2022-06-29 06:56:12

Spring Security has a DelegatingAuthenticationEntryPoint that allows selection of a concrete AuthenticationEntryPoint based on a RequestMatcher evaluation.

https://docs.spring.io/spring-security/site/docs/5.7.x/api/org/springframework/security/web/authentication/DelegatingAuthenticationEntryPoint.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question redirect to requested page after login How to redirect to requested page after login in Spring? In Spring security 2.0.2 How to redirect to a requested url after login 403 and CORS error accessing tomcat login page 403 Error for Custom Login Page Spring Security Spring boot - return 403 Forbidden instead of redirect to login page How to show the requested URL in a JSP error page? Fetching data from redirect url in java is giving 403 error java.io.IOException: 403 error loading URL jsoup login Spring security error 403 handling: login page for unauthorized, 403 error for authorized user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM