在Spring默認的AccessDeniedHandler中只有對頁面請求的處理,而沒有對Ajax的處理。而在項目開發是Ajax又是我們要常用的技術,所以我們可以通過自定義AccessDeniedHandler來處理Ajax請求。我們在Spring默認的AccessDeniedHandlerImpl上稍作修改就可以了。
~~~
public class DefaultAccessDeniedHandler implements AccessDeniedHandler {
/* (non-Javadoc)
* @see org.springframework.security.web.access.AccessDeniedHandler#handle(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.access.AccessDeniedException)
*/
private String errorPage;
//~ Methods ========================================================================================================
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException {
boolean isAjax = ControllerTools.isAjaxRequest(request);
if(isAjax){
Message msg = MessageManager.exception(accessDeniedException);
ControllerTools.print(response, msg);
}else if (!response.isCommitted()) {
if (errorPage != null) {
// Put exception into request scope (perhaps of use to a view)
request.setAttribute(WebAttributes.ACCESS_DENIED_403, accessDeniedException);
// Set the 403 status code.
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
// forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response);
} else {
response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
}
}
/**
* The error page to use. Must begin with a "/" and is interpreted relative to the current context root.
*
* @param errorPage the dispatcher path to display
*
* @throws IllegalArgumentException if the argument doesn't comply with the above limitations
*/
public void setErrorPage(String errorPage) {
if ((errorPage != null) && !errorPage.startsWith("/")) {
throw new IllegalArgumentException("errorPage must begin with '/'");
}
this.errorPage = errorPage;
}
}
~~~
這里我們直接將異常信息通過PrintWriter輸出到前臺,然后在前臺做統一的處理就可以了。在前臺對后臺消息統一處理的方法可以參考我的這篇文章[http://blog.csdn.net/jaune161/article/details/18135607](http://blog.csdn.net/jaune161/article/details/18135607)
最后在配置文件中配置下
~~~
<sec:http auto-config="true" access-decision-manager-ref="accessDecisionManager">
<sec:access-denied-handler ref="accessDeniedHandler"/>
<sec:session-management invalid-session-url="/login.jsp" />
<sec:intercept-url pattern="/app.jsp" access="AUTH_LOGIN"/>
<sec:intercept-url pattern="/**" access="AUTH_GG_FBGBGG"/>
<sec:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp"
default-target-url="/index.jsp"/>
</sec:http>
<!-- 自定義權限不足處理程序 -->
<bean id="accessDeniedHandler" class="com.zrhis.system.security.RequestAccessDeniedHandler">
<property name="errorPage" value="/WEB-INF/error/403.jsp"></property>
</bean>
~~~
session-management本來計劃在之前就講的,但是準備深入講下session-management所以就一直沒有講。今天既然提到了就簡單的說下session-management最簡單的配置,就是上面的配置invalid-session-url表示Session失效時跳轉的連接。隨后會深入講下這個。
- 前言
- (大綱)----學習過程分享
- (1)----SpringSecurity3.2環境搭建
- (2)----SpringSecurity簡單測試
- (3)---- 自定義登錄頁面
- (4)---- 數據庫表結構的創建
- (5)---- 國際化配置及UserCache
- (6)---- 使用數據庫管理用戶及權限
- (7)---- 解決UsernameNotFoundException無法被捕獲的問題
- (8)---- 自定義決策管理器及修改權限前綴
- (9)---- 自定義AccessDeniedHandler
- (10)---- 自定義登錄成功后的處理程序及修改默認驗證地址
- (11)---- 使用數據庫來管理資源
- (12)---- 使用數據庫來管理方法
- (13)---- 驗證碼功能的實現
- (14)---- Logout和SessionManager