我尝试使用 Spring Security Annotations 来确保安全,而不是在 XML 中定义规则。它似乎有效,但是当我遇到访问被拒绝错误时,我收到返回的 HTTP 状态代码 500。我在 tomcat 日志文件中没有看到任何异常。当执行到达我的 AuthenticationEntryPoint 时,响应就会被提交。
如果我恢复为 XML 中的规则并收到访问被拒绝错误,我会收到返回的 HTTP 状态代码 401。
该方法使用 @PreAuthorize 注解
@GET
@Produces(MediaType.APPLICATION_JSON)
@PreAuthorize("hasRole('user')")
public String list() throws IOException
这是我的 XML(之前的 XML 规则已被注释掉)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:debug/>
<security:global-method-security pre-post-annotations="enabled"/>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDao">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<security:http
realm="Protected API"
use-expressions="true"
auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="authenticationManager">
<security:access-denied-handler ref="accessDeniedHandler"/>
<security:custom-filter ref="tokenAuthenticationProcessingFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="tokenFilter" position="REMEMBER_ME_FILTER"/>
<!--<security:intercept-url method="GET" pattern="/rest/news/**" access="hasRole('user')"/>-->
</security:http>
</beans>
此问题与 Spring Security 无关。问题出在泽西岛。
Jersey 拦截了 AccessDeniedException 并将其作为 ServletException 重新抛出。
我所要做的就是编写一个 ExceptionMapper。更多信息https://jersey.java.net/documentation/latest/representations.html#d0e4866 https://jersey.java.net/documentation/latest/representations.html#d0e4866
@Provider
/**
* AccessDeniedMapper is instantiated by Jersey directly through the "jersey.config.server.provider.packages" setting
*/
public class AccessDeniedMapper implements ExceptionMapper<AccessDeniedException> {
@Override
public Response toResponse(AccessDeniedException e) {
return Response.status(401)
.build();
}
}
启动时,Jersey 使用 jersey.config.server.provider.packages 属性扫描 @Provider。来自我的 web.xml
<!-- Map the REST Servlet to /rest/ -->
<servlet>
<servlet-name>RestService</servlet-name>
<servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<!--Every class inside of this package (com.unsubcentral.rest) will be available to Jersey-->
<param-name>jersey.config.server.provider.packages</param-name>
<param-value>com.rince.rest</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>RestService</servlet-name>
<url-pattern>/rest/*</url-pattern>
</servlet-mapping>
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
