在Spring默认的AccessDeniedHandler中只有对页面请求的处理,而没有对Ajax的处理。而在项目开发是Ajax又是我们要常用的技术,所以我们可以通过自定义AccessDeniedHandler来处理Ajax请求。我们在Spring默认的AccessDeniedHandlerImpl上稍作修改就可以了。
~~~
public class DefaultAccessDeniedHandler implements AccessDeniedHandler {
/* (non-Javadoc)
* @see org.springframework.security.web.access.AccessDeniedHandler#handle(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.springframework.security.access.AccessDeniedException)
*/
private String errorPage;
//~ Methods ========================================================================================================
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException {
boolean isAjax = ControllerTools.isAjaxRequest(request);
if(isAjax){
Message msg = MessageManager.exception(accessDeniedException);
ControllerTools.print(response, msg);
}else if (!response.isCommitted()) {
if (errorPage != null) {
// Put exception into request scope (perhaps of use to a view)
request.setAttribute(WebAttributes.ACCESS_DENIED_403, accessDeniedException);
// Set the 403 status code.
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
// forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response);
} else {
response.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
}
}
/**
* The error page to use. Must begin with a "/" and is interpreted relative to the current context root.
*
* @param errorPage the dispatcher path to display
*
* @throws IllegalArgumentException if the argument doesn't comply with the above limitations
*/
public void setErrorPage(String errorPage) {
if ((errorPage != null) && !errorPage.startsWith("/")) {
throw new IllegalArgumentException("errorPage must begin with '/'");
}
this.errorPage = errorPage;
}
}
~~~
这里我们直接将异常信息通过PrintWriter输出到前台,然后在前台做统一的处理就可以了。在前台对后台消息统一处理的方法可以参考我的这篇文章[http://blog.csdn.net/jaune161/article/details/18135607](http://blog.csdn.net/jaune161/article/details/18135607)
最后在配置文件中配置下
~~~
<sec:http auto-config="true" access-decision-manager-ref="accessDecisionManager">
<sec:access-denied-handler ref="accessDeniedHandler"/>
<sec:session-management invalid-session-url="/login.jsp" />
<sec:intercept-url pattern="/app.jsp" access="AUTH_LOGIN"/>
<sec:intercept-url pattern="/**" access="AUTH_GG_FBGBGG"/>
<sec:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp"
default-target-url="/index.jsp"/>
</sec:http>
<!-- 自定义权限不足处理程序 -->
<bean id="accessDeniedHandler" class="com.zrhis.system.security.RequestAccessDeniedHandler">
<property name="errorPage" value="/WEB-INF/error/403.jsp"></property>
</bean>
~~~
session-management本来计划在之前就讲的,但是准备深入讲下session-management所以就一直没有讲。今天既然提到了就简单的说下session-management最简单的配置,就是上面的配置invalid-session-url表示Session失效时跳转的连接。随后会深入讲下这个。
- 前言
- (大纲)----学习过程分享
- (1)----SpringSecurity3.2环境搭建
- (2)----SpringSecurity简单测试
- (3)---- 自定义登录页面
- (4)---- 数据库表结构的创建
- (5)---- 国际化配置及UserCache
- (6)---- 使用数据库管理用户及权限
- (7)---- 解决UsernameNotFoundException无法被捕获的问题
- (8)---- 自定义决策管理器及修改权限前缀
- (9)---- 自定义AccessDeniedHandler
- (10)---- 自定义登录成功后的处理程序及修改默认验证地址
- (11)---- 使用数据库来管理资源
- (12)---- 使用数据库来管理方法
- (13)---- 验证码功能的实现
- (14)---- Logout和SessionManager