堆栈内存溢出
  繁体   English   中英

如何在 Spring Boot REST API 中捕获 AccessDeniedException

[英]How to catch AccessDeniedException in Spring Boot REST API

 原文  2017-07-26 04:43:05       spring/ security/ spring-boot

问题描述

我有一个带有 2 个端点的简单 Spring Boot REST API,一个受保护,一个不受保护。 对于受保护的,我想捕获AccessDeniedException并发送 401 而不是默认的 500 错误。 这是我的安全配置:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter{

@Override
public void configure(WebSecurity webSecurity) {
    webSecurity.ignoring().antMatchers("/");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .exceptionHandling()
            .accessDeniedHandler(new AccessDeniedHandler() {
                @Override
                public void handle(HttpServletRequest request, HttpServletResponse response, org.springframework.security.access.AccessDeniedException accessDeniedException) throws IOException, ServletException {
                    System.out.println("I am here now!!!");
                }
            });

    http
            .addFilterAfter(getSecurityFilter(), FilterSecurityInterceptor.class);
    http
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    http
            .csrf()
            .disable();
    http
            .authorizeRequests()
            .antMatchers("/protected").anonymous();
}

public Filter getSecurityFilter() {
    return new Filter() {
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {
            //do nothing here
        }

        @Override
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            String appKeyHeaderValue = ((HttpServletRequest)request).getHeader("X-AppKey");
            if(appKeyHeaderValue!=null && appKeyHeaderValue.equals("MY_KEY")) {
                chain.doFilter(request,response);
            } else {
                throw new AccessDeniedException("Access denied man");
            }
        }

        @Override
        public void destroy() {

        }
    };
}

}

我从来没有看到我的I am here now!!! print 语句,我看到的是默认页面Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback. Tue Jul 25 23:21:15 CDT 2017 There was an unexpected error (type=Internal Server Error, status=500). Access denied man Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback. Tue Jul 25 23:21:15 CDT 2017 There was an unexpected error (type=Internal Server Error, status=500). Access denied man Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback. Tue Jul 25 23:21:15 CDT 2017 There was an unexpected error (type=Internal Server Error, status=500). Access denied man注意我的Access denied man是如何在抛出异常时打印出来的。

当我运行项目时,我还在控制台中看到以下内容: 2017-07-25 23:21:14.818 INFO 3872 --- [ restartedMain] swsmmaRequestMappingHandlerMapping : Mapped "{[/error]}" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest) 2017-07-25 23:21:14.818 INFO 3872 --- [ restartedMain] swsmmaRequestMappingHandlerMapping : Mapped "{[/error],produces=[text/html]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)

这是我的项目结构的样子:

在此处输入图片说明

2 个解决方案

解决方案1
 8  2018-12-28 14:31:10

我使用一个自定义类扩展ResponseEntityExceptionHandler和一些注释。

你只需要像这样创建一个类:

@ControllerAdvice
public class CustomResponseEntityExceptionHandler extends ResponseEntityExceptionHandler {

    @ExceptionHandler(AccessDeniedException.class)
    public final ResponseEntity<ErrorMessage> handleAccessDeniedException(AccessDeniedException ex, WebRequest request) {
        ErrorMessage errorDetails = new ErrorMessage(new Date(), ex.getMessage(), request.getDescription(false));
        return new ResponseEntity<>(errorDetails, HttpStatus.FORBIDDEN);
    }

}

在这种情况下,答案将类似于:

{
    "timestamp": "2018-12-28T14:25:23.213+0000",
    "message": "Access is denied",
    "details": "uri=/user/list"
}

解决方案2
 0 已采纳  2017-07-26 05:09:32

正如@Afridi 所建议的那样,异常甚至在到达控制器之前就发生了,因此必须在过滤器链中进行处理。 我建议执行以下操作:

public class AccessDeniedExceptionFilter extends OncePerRequestFilter {

    @Override
    public void doFilterInternal(HttpServletRequest req, HttpServletResponse res, 
                                FilterChain fc) throws ServletException, IOException {
        try {
            fc.doFilter(request, response);
        } catch (AccessDeniedException e) {
         // log error if needed here then redirect
     RequestDispatcher requestDispatcher = 
             getServletContext().getRequestDispatcher(redirecturl);
     requestDispatcher.forward(request, response);

    }
}

添加此过滤器以过滤链

protected void configure(HttpSecurity http) throws Exception {
http
....
.addFilterAfter(httpClientFilter(), AccessDeniedExceptionFilter.class)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在Spring Boot Rest API中捕获异常 Spring @ExceptionHandler没有捕获AccessDeniedException 带有 Spring Boot 的 API Rest 如何重构此 REST API Spring 启动应用程序? 如何在 Spring boot(Rest api) 中使用 JCS 如何在 spring 引导中通过 Rest API 下载文件? 如何使用 Spring Boot 和 Spring Security 保护 REST API? spring boot rest api的指标 测试 Spring Boot REST API Rest Api 设计 Spring 启动
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM