2012-10-31 95 views
0

在我的項目中實現了spring security的實現,但我在定義重定向時遇到問題。當訪問被鎖定時,我需要將該用戶重定向到特定的URL。春季安全錯誤嘗試重定向「訪問被拒絕」

當我把標籤「access-denied-handler」我希望他重定向到bean上定義的頁面,但不會發生。

安全的context.xml

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:security="http://www.springframework.org/schema/security" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans.xsd 
         http://www.springframework.org/schema/security 
         http://www.springframework.org/schema/security/spring-security-3.1.xsd"> 

<!-- Method Security --> 
<security:global-method-security pre-post-annotations="enabled"> 
    <security:expression-handler ref="expressionHandler" /> 
</security:global-method-security> 


<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> 
    <property name="permissionEvaluator" ref="permissionEvaluator"/> 
</bean> 

<bean id="permissionEvaluator" class="net.pontoall.hemisphere.security.HemispherePermissionEvaluator"/> 

<!-- Publicos --> 
<security:http pattern="/layouts/**" security="none" /> 
<security:http pattern="/messages/**" security="none" /> 
<security:http pattern="/test/**" security="none" /> 
<security:http pattern="/resources/**" security="none" /> 
<security:http pattern="/login/**" security="none" /> 
<security:http pattern="/install/**" security="none" /> 
<security:http pattern="/cobredireto/**" security="none" /> 
<security:http pattern="/hotsite/**" security="none" /> 
<security:http pattern="/captcha.jpg" security="none" /> 

<security:http auto-config="true" use-expressions="true"> 

    <security:access-denied-handler ref="HemisphereAccessDeniedHandler"/> 

    <security:intercept-url pattern="/**" access="isAuthenticated()" /> 

    <security:form-login login-page="/login" default-target-url="/home" 
         authentication-failure-url="/login?logout=true" 
         authentication-success-handler-ref="authenticationSuccessHandler" 
         authentication-failure-handler-ref="authenticationFailureHandler"/> 

    <security:logout logout-url="/j_spring_security_logout" invalidate-session="true" success-handler-ref="logoutHandler"/> 
</security:http> 

<!-- Authentication Manager --> 
<security:authentication-manager alias="authenticationManager"> 
    <!-- Custom Authentication provider --> 
    <security:authentication-provider ref="hemisphereAuthenticationProvider"/> 
</security:authentication-manager> 

<bean id="hemisphereAuthenticationProvider" class="net.pontoall.hemisphere.security.HemisphereAuthenticationProvider"> 
    <property name="userDetailsService" ref="userDetailService"/> 
</bean> 

<bean id="authenticationSuccessHandler" class="net.pontoall.hemisphere.security.HemisphereAuthenticationSuccessHandler"> 
    <property name="defaultTargetUrl" value="/home" /> 
    <property name="alwaysUseDefaultTargetUrl" value="no" /> 
</bean> 

<bean id="authenticationFailureHandler" class="net.pontoall.hemisphere.security.HemisphereAuthenticationFailureHandler"> 
    <property name="defaultFailureUrl" value="/login" /> 
</bean> 

<bean id="logoutHandler" class="net.pontoall.hemisphere.security.HemisphereLogoutHandler"/> 

<bean id="HemisphereAccessDeniedHandler" class="net.pontoall.hemisphere.security.HemisphereAccessDeniedHandler"> 
    <property name="errorPage" value="/error/permissao"/> 
</bean> 

豆爪哇 - HemisphereAccessDeniedHandler.java:

public class HemisphereAccessDeniedHandler implements AccessDeniedHandler { 

private String errorPage; 

public String getErrorPage() { 
    return errorPage; 
} 

public void setErrorPage(String errorPage) { 

    if (errorPage == "") { 
     errorPage = "/"; 
    } 

    this.errorPage = errorPage; 
} 

@Override 
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { 
    // Set the 403 status code. 
    response.setStatus(HttpServletResponse.SC_FORBIDDEN); 
    response.sendRedirect(errorPage); 
} 

} 

回答

0

重定向都有自己的HTTP狀態碼(3XX),見http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html。方法response.sendRedirect應自動將HTTP狀態碼設置爲307(臨時重定向,請參閱http://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpServletResponse.html#sendRedirect)。

但您在重定向之前將HTTP狀態碼設置爲禁止(403)。

因此請嘗試刪除response.setStatus(HttpServletResponse.SC_FORBIDDEN)。您也可以發佈curl轉儲以查看原始服務器輸出。

+0

我試過但沒有工作,我正在調試它沒有進入課堂。 –

1

我發現了所發生的事情。我有一個Spring MVC @ExceptionHandler,他正在捕獲錯誤。

@ExceptionHandler 
public ResponseEntity<String> handle(Exception exception, HttpServletRequest requestMain) { 
    String erro = exception.getMessage(); 
    PusherRequest request = new PusherRequest("hemisphere-web", requestMain.getSession().getId()); 
    request.triggerPush(erro); 

    HttpHeaders headers = new HttpHeaders(); 
    headers.setContentType(MediaType.APPLICATION_JSON); 

    return new ResponseEntity<String>(exception.getMessage(), headers, HttpStatus.FORBIDDEN); 
} 
+1

好,如果你只是需要一個簡單的重定向,例如,可以考慮使用_access-denied-handler_的_error-page_屬性。 '。 (http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#nsa-access-denied-handler) 祝你好運! –

+0

是的,我已經在第一次測試中完成了這項工作,但沒有成功,於是我走向另一條路:)謝謝! –