Spring Security Access Denied会产生HTTP 405

问题描述 投票:0回答:1

我有一个使用自定义AccessDecisionVoter的春季网络应用程序。此自定义决策选民将找到访问URL所需的权限,然后检查登录用户是否已授予所需权限。

如果登录用户没有授予所需的权限,则此自定义决策选举者应返回ACCESS_DENIED,否则返回ACCESS_GRANTED。

现在的问题是:当用户尝试访问他没有授予权限的URL时,应用服务器是HTTP 405.请注意,当用户通过GET方法访问URL时(例如,将URL输入浏览器地址栏) ,他将获得HTTP 403.HTTP 405仅发生POST方法。请注意,我的spring-mvc控制器不限制HTTP方法。

我确认决定选民正在根据我的日志文件返回ACCESS_DENIED(-1)。不知何故,我的浏览器刚收到HTTP 405。

我使用的是spring-security 5.0.1

以下是我的代码:

我的定制决定选民:

@Override
public int vote(Authentication authentication, Object object, Collection securityConfigs) {
    logger.debug("Authorization in progress");
    if (authentication == null) {
        logger.info("No authentication. Access Denied.");
        return ACCESS_DENIED;
    }

    if (securityConfigs.size() == 0) {
        logger.info("No matching Page Config found for the given URL. Access Denied.");
        return ACCESS_DENIED;
    }

    int result = ACCESS_ABSTAIN;
    Set<String> authorities = extractAuthorities(authentication);

    String username = authentication.getName().toUpperCase();
    logger.debug("authentication.getName() = " + username);

    for (Object configObject : securityConfigs) {
        SecurityConfig config = (SecurityConfig) configObject;
        if (this.supports(config.getAttribute())) {
            result = ACCESS_DENIED;
            String attributeUpperCase = config.getAttribute().toUpperCase();
            logger.debug("config attribute = " + attributeUpperCase);

            if (authorities.contains(attributeUpperCase)) {
                logger.info("The request url has config attribute that matches the login user's granted Master Function Code. Access Granted. The matching config attribute = " + attributeUpperCase);
                return ACCESS_GRANTED;
            }
        }
    }

    logger.info("Voting Result from DaxVoter = " + result);

    return result;
}

我的控制器:

@ResponseBody
@RequestMapping(value ="/road/retrieveRoad.do")
public Map<String, Object> retrieveRoad(HttpServletRequest request, @RequestBody DataParamsBean dataParams) {
    logger.info("CommonSupportCtrl | retrieveRoad | Start"); 
    Map<String, Object> resultMap = new HashMap<String, Object>();

    int start = dataParams.getSkip();
    int limit = (dataParams.getTake() == 0) ? 10 : (int) dataParams.getTake();
    String sortBy = (dataParams.getSorted() == null) ? null : (String) dataParams.getSorted().get(0).get("name");
    String sortDirection = (dataParams.getSorted() == null) ? null : (String) dataParams.getSorted().get(0).get("direction");
    String roadCode = dataParams.getParams().get("id") == null ? null : (String) dataParams.getParams().get("id");
    String roadName = dataParams.getParams().get("roadName") == null ? null : (String) dataParams.getParams().get("roadName");

    if(sortDirection != null) {
        if(sortDirection.equalsIgnoreCase("ascending")) {
            sortDirection = "asc";
        } else {
            sortDirection = "desc";
        }
    }

    GenericSearchResults<RoadBean> searchResults = commonSupportService.retrieveRoadByCriteria(roadName, roadCode, start, limit,
            sortBy, sortDirection);

    resultMap.put("result", searchResults.getResult());
    resultMap.put("count", searchResults.getCount());

    logger.info("CommonSupportCtrl | retrieveRoad | End"); 
    return resultMap;
}
java spring-mvc spring-security
1个回答
0
投票

我设法解决了它。它实际上是由于我在web.xml中配置的。我通过将错误页面从.htm更改为.jsp来解决它,只需更改文件格式,而不更改内容。所以我假设.htm不能支持POST方法,而.jsp可以。

© www.soinside.com 2019 - 2024. All rights reserved.