我的Spring安全配置是
<http pattern="/resources/**" security="none"/>
<http pattern="/login**" security="none"/>
<http pattern="/invalidsession**" security="none"/>
<http pattern="/forgotpassword**" security="none"/>
<http pattern="/accessdenied**" security="none"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/common/**" access="hasAnyRole('SITE_ADMIN','CLIENT_ADMIN')" />
<intercept-url pattern="/site/**" access="hasRole('SITE_ADMIN')" />
<intercept-url pattern="/**" access="hasRole('CLIENT_ADMIN')" />
<!-- access denied page
<access-denied-handler error-page="/accessdenied" />
-->
<access-denied-handler ref="my403" />
<form-login login-page="/login"
username-parameter="username"
password-parameter="password" authentication-failure-url="/login?error"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
/>
<logout logout-success-url="/login?logout" />
<session-management invalid-session-url="/invalidsession" />
</http>
当 SITE_ADMIN 用户打开一个不存在的页面时,它会显示访问被拒绝页面而不是 404 页面。这是因为 <intercept-url pattern="/**" access="hasRole('CLIENT_ADMIN')" />
。 Spring Security 在 pagenotfound 之前检查授权。如果页面不存在并且 SITE_ADMIN 当前正在记录,我如何显示 404。
最佳答案
不确定为什么要这样做,但您可以通过实现 AuthenticationEntryPoint
并为您的 CLIENT_ADMIN
设置开始方法 404
来实现它,并且为其他人保留默认值
类似的东西
@Component
public class EntryPointUnauthorizedHandler implements AuthenticationEntryPoint{
@Override
public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse,AuthenticationException e) throws IOException, ServletException {
// use SecurityContextHolder.getContext() for your security checks
httpServletResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,"Access Denied");
}
}
现在您可以在 http-security 配置中添加入口点
关于java - 如果用户未授权,Spring Security 显示 404,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30668750/