Spring Security 中基于角色的访问拒绝处理 - 如何?
我正在使用 Spring Security 开发基于 Spring 的应用程序。我有具有不同角色的用户,并且希望根据角色实施访问拒绝处理。更具体地说,期望的效果如下:当用户尝试访问不允许他访问的资源时,我想区分由于用户未经身份验证而拒绝的情况和由于用户未经身份验证而拒绝的情况权限不足(角色错误)。未经身份验证的用户可以被定向到常规 403 页面,但那些角色错误的用户我想重定向到一个表单,他们可以在其中请求授予适当的角色。
我正在考虑添加“
你会如何解决这个问题?有没有最佳实践?试图用谷歌搜索一些例子,因为我认为这是一种非常常见的模式,但没有成功。
多谢。
I'm working on Spring based application with Spring Security. I have users with different roles and would like to implement access denial handling depending on the role. More specifically the desired effect would be the following: when user tries to access a resource that he is not allowed to, I would like to distinguish between the case when the denial is because the user is not authenticated and the case when it is due to insufficient privileges (wrong role). The users who are not authenticated can be directed to the regular 403 page, but the ones with just a wrong role I would like to redirect to a form in which they could request granting appropriate role.
I'm thinking about either adding the "<access-denied-handler error-page="/xyz">" and implementing the xyz controller or somehow (not yet sure how) implement this as a custom filter.
How would you tackle the problem? Is there any best practice for that? Was trying to google for some examples as I would consider this as a quite common pattern, but no success.
Thanks a lot.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我会尝试实现我的自定义
AccessDeniedHandler并尝试在org.springframework.security.web.access.ExceptionTranslationFilter(阅读其类 JavaDoc!)I would try to implement my custom
AccessDeniedHandlerand try to "register" it in theorg.springframework.security.web.access.ExceptionTranslationFilter(read its class JavaDoc!)