Spring 安全 - 创建 403 访问被拒绝自定义响应
[英]Spring security - creating 403 Access denied custom response
问题描述
我有一个 spring 启动 rest api 与 ZCFD61B8A7397FA7C10B2AE548FB5 身份验证。 问题是我无法摆脱默认的 403 Access Denied rest 响应,如下所示:
{
"timestamp": 1516206966541,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/api/items/2"
}
我创建了自定义 AccessDeniedHandler:
public class CustomAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest req,
HttpServletResponse res,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
ObjectMapper mapper = new ObjectMapper();
res.setContentType("application/json;charset=UTF-8");
res.setStatus(403);
res.getWriter().write(mapper.writeValueAsString(new JsonResponse()
.add("timestamp", System.currentTimeMillis())
.add("status", 403)
.add("message", "Access denied")));
}
}
并将其添加到 WebConfig class
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
public WebSecurity(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, REGISTER_URL).permitAll()
.anyRequest().authenticated()
.and()
.exceptionHandling().accessDeniedHandler(accessDeniedHandler())
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), tokenProvider()))
.addFilter(new JWTAuthorizationFilter(authenticationManager(), tokenProvider()));
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Bean
public TokenProvider tokenProvider(){
return new TokenProvider();
}
@Bean
public AccessDeniedHandler accessDeniedHandler(){
return new CustomAccessDeniedHandler();
}
}
尽管如此,我仍然收到默认的拒绝访问响应。 调试时,我意识到自定义处理程序的handle方法甚至没有被调用。 这是什么情况?
6 个解决方案
解决方案1
15 已采纳 2018-01-17 22:20:20
我想我解决了这个问题。 我没有创建 AccessDeniedHandler 的实现,而是创建了一个自定义的 AuthenticationEntryPoint 并将其设置在异常处理中。
WebConfig 现在看起来像这样:
@EnableWebSecurity
public class WebSecurity extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private BCryptPasswordEncoder bCryptPasswordEncoder;
@Autowired
public WebSecurity(UserDetailsService userDetailsService, BCryptPasswordEncoder bCryptPasswordEncoder) {
this.userDetailsService = userDetailsService;
this.bCryptPasswordEncoder = bCryptPasswordEncoder;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, REGISTER_URL).permitAll()
.anyRequest().authenticated()
.and()
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), tokenProvider()))
.addFilter(new JWTAuthorizationFilter(authenticationManager(), tokenProvider()));
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Bean
public TokenProvider tokenProvider(){
return new TokenProvider();
}
@Bean
public AuthenticationEntryPoint authenticationEntryPoint(){
return new CustomAuthenticationEntryPoint();
}
}
和 CustomAuthenticationEntryPoint:
public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest req, HttpServletResponse res, AuthenticationException authException) throws IOException, ServletException {
res.setContentType("application/json;charset=UTF-8");
res.setStatus(403);
res.getWriter().write(JsonBuilder //my util class for creating json strings
.put("timestamp", DateGenerator.getDate())
.put("status", 403)
.put("message", "Access denied")
.build());
}
}
现在一切都如我所愿。
解决方案2
7 2018-12-04 06:38:37
我有同样的问题并试图按照正确的答案解决,但它没有解决问题。 处理此问题的最佳方法是实现自定义访问被拒绝处理程序。 AuthenticationEntryPoint 实现最好处理 401、UNAUTHORIZED 访问和 AccessDeniedHandler 实现用于 403、FORBIDDEN 访问。
将实现类中的 AccessDeniedHandler 方法重写为:
@Override
public void handle(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.getWriter().write("Access Denied... Forbidden");
}
并在您的安全配置中添加这个自定义访问被拒绝处理程序,如下所示:
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint())
.accessDeniedHandler(accessDeniedHandler())
解决方案3
2 2020-05-14 16:10:54
试试这个
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.NEVER)
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers(HttpMethod.POST, REGISTER_URL).permitAll()
.anyRequest().authenticated()
.and().exceptionHandling().accessDeniedPage("/view/notAuth")
.and()
.addFilter(new JWTAuthenticationFilter(authenticationManager(), tokenProvider()))
.addFilter(new JWTAuthorizationFilter(authenticationManager(), tokenProvider()));
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Bean
public TokenProvider tokenProvider(){
return new TokenProvider();
}
并为视图页面制作这个配置类
import java.util.List;
import org.springframework.context.annotation.Configuration;
import org.springframework.format.FormatterRegistry;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.validation.MessageCodesResolver;
import org.springframework.validation.Validator;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.method.support.HandlerMethodReturnValueHandler;
import org.springframework.web.servlet.HandlerExceptionResolver;
import org.springframework.web.servlet.config.annotation.AsyncSupportConfigurer;
import org.springframework.web.servlet.config.annotation.ContentNegotiationConfigurer;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
@Configuration
public class ViewRegistryConfig implements WebMvcConfigurer {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/view/notAuth").setViewName("notAuth");
}
@Override
public void configurePathMatch(PathMatchConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void configureAsyncSupport(AsyncSupportConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {
// TODO Auto-generated method stub
}
@Override
public void addFormatters(FormatterRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addCorsMappings(CorsRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void configureViewResolvers(ViewResolverRegistry registry) {
// TODO Auto-generated method stub
}
@Override
public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
// TODO Auto-generated method stub
}
@Override
public void addReturnValueHandlers(List<HandlerMethodReturnValueHandler> returnValueHandlers) {
// TODO Auto-generated method stub
}
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
// TODO Auto-generated method stub
}
@Override
public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
// TODO Auto-generated method stub
}
@Override
public void configureHandlerExceptionResolvers(List<HandlerExceptionResolver> exceptionResolvers) {
// TODO Auto-generated method stub
}
@Override
public void extendHandlerExceptionResolvers(List<HandlerExceptionResolver> exceptionResolvers) {
// TODO Auto-generated method stub
}
@Override
public Validator getValidator() {
// TODO Auto-generated method stub
return null;
}
@Override
public MessageCodesResolver getMessageCodesResolver() {
// TODO Auto-generated method stub
return null;
}
}
解决方案4
0 2019-01-16 20:01:59
这是一个最低限度的安全配置,它演示了在访问被拒绝 (403) 情况下调用自定义AccessDeniedHandler情况:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/css/**", "/index").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/user/**").hasRole("USER")
.and()
.formLogin()
.and()
.exceptionHandling()
.accessDeniedHandler((request, response, accessDeniedException) -> {
AccessDeniedHandler defaultAccessDeniedHandler = new AccessDeniedHandlerImpl();
defaultAccessDeniedHandler.handle(request, response, accessDeniedException);
});
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(User.withDefaultPasswordEncoder().username("user").password("password").roles("USER"))
.withUser(User.withDefaultPasswordEncoder().username("admin").password("password").roles("ADMIN"));
}
}
重现步骤:
- 使用
user/password - 尝试访问
http://localhost:8080/user/index- 授予访问权限 - 尝试访问
http://localhost:8080/admin/index- 访问被拒绝并调用自定义AccessDeniedHandler
解决方案5
0 2022-09-12 17:10:54
在我的情况下,为 AccessDeniedException 添加 ExceptionHandler 可以解决问题。
@ExceptionHandler (value = {AccessDeniedException.class})
public void handleAccessDeniedException(HttpServletRequest request, HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException {
// 403
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Authorization Failed : " + accessDeniedException.getMessage());
}
解决方案6
-2 2018-01-17 17:03:26
根据这个:
http://www.baeldung.com/spring-security-custom-access-denied-page
您还需要添加:
.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
猜测进入“配置”。
Spring Security hasRole()提供错误403-访问被拒绝
[英]Spring security hasRole() giving Error 403 - Access is denied
错误403-使用Spring Security拒绝访问-ManyToMany注释问题?
[英]Error 403 - Access denied using Spring security - ManyToMany annotation issue?
如何使用 Spring Security 自定义 403 Forbidden/Access Denied Page
[英]How to customize the 403 Forbidden/Access Denied Page using Spring Security
通过自定义身份验证了解Spring Security中的“访问被拒绝”
[英]Understanding “Access Denied” in spring security with custom authentication
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
HTTP状态403 - 拒绝访问Spring安全性
spring 安全 HTTP 状态 403 - 访问被拒绝
Spring Security Access在发布后被拒绝403
获取后Spring Security Access拒绝403
403访问每次都拒绝Spring Security
Spring Security自定义身份验证提供程序403响应
Spring Security hasRole()提供错误403-访问被拒绝
错误403-使用Spring Security拒绝访问-ManyToMany注释问题?
如何使用 Spring Security 自定义 403 Forbidden/Access Denied Page
通过自定义身份验证了解Spring Security中的“访问被拒绝”
相关标签