我是使用jQuery的Spring Security和Spring MVC的新手。我的Spring Security是基于Spring Security参考文档的基本设置。我正在使用Spring 3.2.4。
<http use-expressions="true">
<intercept-url pattern="/secure/login" access="permitAll" />
<intercept-url pattern="/secure/logout" access="permitAll" />
<intercept-url pattern="/secure/denied" access="permitAll" />
<session-management session-fixation-protection="migrateSession" session-authentication-error-url="/login.jsp?authFailed=true">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" expired-url="/login.html" session-registry-alias="sessionRegistry"/>
</session-management>
<intercept-url pattern="/**" access="isAuthenticated()" />
<!-- <intercept-url pattern="/**" access="denyAll" /> -->
<form-login login-page="/secure/login" default-target-url="/" authentication-failure-url="/secure/denied" />
<logout logout-url="/secure/logout" logout-success-url="/" />
<expression-handler ref="defaultWebSecurityExpressionHandler" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="com.ia.security.SpringSecurityDao" />
</authentication-manager>
<beans:bean id="com.ia.security.SpringSecurityDao" class="com.ia.security.SpringSecurityDaoImpl">
<beans:property name="usersByUsernameQuery">
<beans:value>select username,password,enabled
from user
where username = ?
</beans:value>
</beans:property>
<beans:property name="dataSource" ref="dataSource" />
<beans:property name="enableGroups" value="true" />
<beans:property name="enableAuthorities" value="false" />
<beans:property name="groupAuthoritiesByUsernameQuery">
<beans:value>SELECT R.ID, R.NAME, P.NAME
FROM ROLE R
JOIN USER_ROLE UR on R.id = UR.role_id
JOIN USER U on U.id = UR.user_id
JOIN ROLE_PERMISSION RP ON RP.role_id = R.id
JOIN PERMISSION P ON P.id = RP.permission_id
WHERE U.username=?
</beans:value>
</beans:property>
</beans:bean>
在正常情况下,一切都正常运行。我可以通过jQuery.ajax请求我的页面,我的回调按预期工作。但是,我不知道如何设置处理会话超时或未经授权的访问响应。
例如,如果会话超时,并且我继续发出Ajax请求,Spring Security会将调用重定向到登录页面。因此,对ajax请求的响应最终成为登录页面。在客户端,我需要能够知道用户不再能够访问所请求的页面并采取适当的操作 - 即:将浏览器重定向到登录/错误页面。如果用户没有访问URL的权限,情况也是如此。
我发现了与如何通过ajax配置登录相关的类似帖子,但我很难理解如何通过ajax处理未经授权的请求。我认为在Ajax调用的情况下,服务器应返回特定的状态代码(例如:401未授权等),并让JS处理差异代码,但不确定在何处/如何配置该信息。
我已经尝试过查看AuthenticationFailureHandler和AuthenticationSuccessHandler类,但它们似乎甚至没有在我的配置中使用(在它们中设置断点甚至没有被击中),所以我是真的很难理解配置必要的处理程序/过滤器等的内容/方式/位置。
答案 0 :(得分:0)
您可以在http标签中尝试使用access-denied-handler,如下所示
<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<access-denied-handler ref="accessDeniedHandler"/>
<bean id="accessDeniedHandler"
class="CustomAccessDeniedHandler">
<property name="accessDeniedUrl" value="acessDenied" />
您可以创建自己的Handler,实现Spring的AccessDeniedHandler,然后覆盖handle()方法。
public class CustomAccessDeniedHandler implements AccessDeniedHandler {
private String accessDeniedUrl;
public String getAccessDeniedUrl() {
return accessDeniedUrl;
}
public void setAccessDeniedUrl(String accessDeniedUrl) {
this.accessDeniedUrl = accessDeniedUrl;
}
@Override
public void handle(HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException,
ServletException {
// Your own logic something like this
response.sendRedirect(accessDeniedUrl);
request.getSession().setAttribute("message",
"You do not have permission to access this page!");
}
}
accesDenied.jsp可以是这样的
<html>
<body>
<h1>HTTP Status 403 - Access is denied</h1>
<h3>Message : ${message}</h3>
</body>
</html>