我春天的安全配置是Spring Security的顯示404,如果用戶沒有授權
<http pattern="/resources/**" security="none"/>
<http pattern="/login**" security="none"/>
<http pattern="/invalidsession**" security="none"/>
<http pattern="/forgotpassword**" security="none"/>
<http pattern="/accessdenied**" security="none"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/common/**" access="hasAnyRole('SITE_ADMIN','CLIENT_ADMIN')" />
<intercept-url pattern="/site/**" access="hasRole('SITE_ADMIN')" />
<intercept-url pattern="/**" access="hasRole('CLIENT_ADMIN')" />
<!-- access denied page
<access-denied-handler error-page="/accessdenied" />
-->
<access-denied-handler ref="my403" />
<form-login login-page="/login"
username-parameter="username"
password-parameter="password" authentication-failure-url="/login?error"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
/>
<logout logout-success-url="/login?logout" />
<session-management invalid-session-url="/invalidsession" />
</http>
當SITE_ADMIN用戶打開不存在的頁面,然後它顯示拒絕訪問頁面,而不是404頁。這是因爲<intercept-url pattern="/**" access="hasRole('CLIENT_ADMIN')" />
。 Spring未在pagenotfound之前檢查授權。如果頁面不存在並且SITE_ADMIN當前正在記錄,我該如何顯示404。
感謝您的評論。我告訴過我的經理,他說不要這樣做。 –