我有以下spring-security.xml
<security:global-method-security proxy-target-class="true" secured-annotations="enabled" />
<security:http auto-config="false" use-expressions="true" entry-point-ref="customLoginEndpoint" >
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthenticationManager"/>
以下是customLoginEndpoint
@Component("customLoginEndpoint")
public class CustomLoginEndpoint extends LoginUrlAuthenticationEntryPoint
{
public AcapLoginEndpoint()
{
super("/auth/login");
}
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authenticationException)
throws IOException, ServletException {
response.sendRedirect("/auth/login");
}
}
我的控制器clas有一个@ExceptionHandler(Throwable ex)和几个有@Secured注释的方法
问题是@ExceptionHandler方法捕获由@Secured注释引起的所有org.springframework.security.access.AccessDeniedException,因此请求永远不会到达CustomLoginEndpoint.commence并被拒绝。
如果我删除@ExceptionHandler,那么一切正常。
如何使这个工作正常,以便调用begin并避免@ExceptionHandler捕获由@Secured注释引起的AccessDeniedException。
答案 0 :(得分:4)
您应该能够为AccessDeniedException添加另一个@ExceptionHandler,然后只需在handle方法中重新抛出异常。这将允许AccessDeniedException传播,以便Spring Security可以处理错误。