我有一个使用自定义AccessDecisionVoter的春季网络应用程序。此自定义决策选民将找到访问URL所需的权限,然后检查登录用户是否已授予所需权限。
如果登录用户没有授予所需的权限,则此自定义决策选举者应返回ACCESS_DENIED,否则返回ACCESS_GRANTED。
现在的问题是:当用户尝试访问他没有授予权限的URL时,应用服务器是HTTP 405.请注意,当用户通过GET方法访问URL时(例如,将URL输入浏览器地址栏) ,他将获得HTTP 403.HTTP 405仅发生POST方法。请注意,我的spring-mvc控制器不限制HTTP方法。
我确认决定选民正在根据我的日志文件返回ACCESS_DENIED(-1)。不知何故,我的浏览器刚收到HTTP 405。
我使用的是spring-security 5.0.1
以下是我的代码:
我的定制决定选民:
@Override
public int vote(Authentication authentication, Object object, Collection securityConfigs) {
logger.debug("Authorization in progress");
if (authentication == null) {
logger.info("No authentication. Access Denied.");
return ACCESS_DENIED;
}
if (securityConfigs.size() == 0) {
logger.info("No matching Page Config found for the given URL. Access Denied.");
return ACCESS_DENIED;
}
int result = ACCESS_ABSTAIN;
Set<String> authorities = extractAuthorities(authentication);
String username = authentication.getName().toUpperCase();
logger.debug("authentication.getName() = " + username);
for (Object configObject : securityConfigs) {
SecurityConfig config = (SecurityConfig) configObject;
if (this.supports(config.getAttribute())) {
result = ACCESS_DENIED;
String attributeUpperCase = config.getAttribute().toUpperCase();
logger.debug("config attribute = " + attributeUpperCase);
if (authorities.contains(attributeUpperCase)) {
logger.info("The request url has config attribute that matches the login user's granted Master Function Code. Access Granted. The matching config attribute = " + attributeUpperCase);
return ACCESS_GRANTED;
}
}
}
logger.info("Voting Result from DaxVoter = " + result);
return result;
}
我的控制器:
@ResponseBody
@RequestMapping(value ="/road/retrieveRoad.do")
public Map<String, Object> retrieveRoad(HttpServletRequest request, @RequestBody DataParamsBean dataParams) {
logger.info("CommonSupportCtrl | retrieveRoad | Start");
Map<String, Object> resultMap = new HashMap<String, Object>();
int start = dataParams.getSkip();
int limit = (dataParams.getTake() == 0) ? 10 : (int) dataParams.getTake();
String sortBy = (dataParams.getSorted() == null) ? null : (String) dataParams.getSorted().get(0).get("name");
String sortDirection = (dataParams.getSorted() == null) ? null : (String) dataParams.getSorted().get(0).get("direction");
String roadCode = dataParams.getParams().get("id") == null ? null : (String) dataParams.getParams().get("id");
String roadName = dataParams.getParams().get("roadName") == null ? null : (String) dataParams.getParams().get("roadName");
if(sortDirection != null) {
if(sortDirection.equalsIgnoreCase("ascending")) {
sortDirection = "asc";
} else {
sortDirection = "desc";
}
}
GenericSearchResults<RoadBean> searchResults = commonSupportService.retrieveRoadByCriteria(roadName, roadCode, start, limit,
sortBy, sortDirection);
resultMap.put("result", searchResults.getResult());
resultMap.put("count", searchResults.getCount());
logger.info("CommonSupportCtrl | retrieveRoad | End");
return resultMap;
}
我设法解决了它。它实际上是由于我在web.xml中配置的。我通过将错误页面从.htm更改为.jsp来解决它,只需更改文件格式,而不更改内容。所以我假设.htm不能支持POST方法,而.jsp可以。