由@ExceptionHandler捕获的Spring Security AccessDeniedException

时间:2014-02-03 17:14:53

标签: spring-security

我有以下spring-security.xml

<security:global-method-security proxy-target-class="true" secured-annotations="enabled" />
<security:http auto-config="false" use-expressions="true" entry-point-ref="customLoginEndpoint" >
    <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>

<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
    p:authenticationManager-ref="customAuthenticationManager"/>

以下是customLoginEndpoint

@Component("customLoginEndpoint")
public class CustomLoginEndpoint extends LoginUrlAuthenticationEntryPoint
{
    public AcapLoginEndpoint()
    {
        super("/auth/login");
    }

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authenticationException) 
            throws IOException, ServletException {
        response.sendRedirect("/auth/login");
    }   
}

我的控制器clas有一个@ExceptionHandler(Throwable ex)和几个有@Secured注释的方法

问题是@ExceptionHandler方法捕获由@Secured注释引起的所有org.springframework.security.access.AccessDeniedException,因此请求永远不会到达CustomLoginEndpoint.commence并被拒绝。

如果我删除@ExceptionHandler,那么一切正常。

如何使这个工作正常,以便调用begin并避免@ExceptionHandler捕获由@Secured注释引起的AccessDeniedException。

1 个答案:

答案 0 :(得分:4)

您应该能够为AccessDeniedException添加另一个@ExceptionHandler,然后只需在handle方法中重新抛出异常。这将允许AccessDeniedException传播,以便Spring Security可以处理错误。