在Spring安全预身份验证中重定向到错误页面

时间:2013-10-01 00:58:23

标签: java spring spring-mvc spring-security

我正在使用Spring Security并使用预身份验证模块,因为我的应用程序使用Siteminder进行身份验证。

以下是spring config XML

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

  <!-- http403EntryPoint -->

<security:http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
    <!-- Additional http configuration omitted -->
    <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>

<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="customUserDetailsService"/>
        </bean>
    </property>
</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>   

<bean id="customUserDetailsService" class="com.vzw.iaas.security.service.CustomUserDetailsService"></bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"></bean>

<bean id="exceptionTranslationFilter"
 class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
    <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</bean>

<bean id="authenticationEntryPoint"
 class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/NotAuthorized.html"/>
</bean>

<bean id="accessDeniedHandler"
 class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/accessDenied.html"/>
</bean>

现在当有异常时,即当我向应用程序发送请求时没有发送SM_USER应用程序而不是显示错误页面,即在那种情况下NotAuthorized.html抛出并且内部服务器500错误。

我想在以下场景中显示自定义错误页面。 1.存在AuthenticationException时 2.当用户无法访问时。

春天安全大师能否告诉我这里缺少什么。

1 个答案:

答案 0 :(得分:1)

将exceptionIfHeaderMissing标志设为false。请求将使用http403EntryPoint处理,而不是抛出错误。

<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="exceptionIfHeaderMissing" value="false" />
</bean>