Spring security 配置的AccessDeniedHandler无效，抛出AccessDeniedException 不允许访问

绝地灬酷狼 2021-09-03 04:11 1022阅读 0赞

## 1.Spring Security 中的异常处理 ##

我们一般都会在Spring Security 的 自定义配置类（ WebSecurityConfigurerAdapter ）中使用HttpSecurity 提供的 exceptionHandling() 方法用来提供异常处理。该方法构造出 ExceptionHandlingConfigurer 异常处理配置类。该配置类提供了两个实用接口：

**AuthenticationEntryPoint 该类用来统一处理 AuthenticationException 异常  
AccessDeniedHandler 该类用来统一处理 AccessDeniedException 异常**  
我们只要实现并配置这两个异常处理类即可实现对 Spring Security 认证授权相关的异常进行统一的自定义处理。

public class SimpleAuthenticationEntryPoint implements AuthenticationEntryPoint { 
    
        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response,
                             AuthenticationException authException) throws IOException, ServletException { 
            ResponseUtil.out(response, ResultJson.error(CommonEnum.NOT_FIND_LOGIN_INFORMATION));
        }
    }

public class SimpleAccessDeniedHandler implements AccessDeniedHandler { 
    
        @Override
        public void handle(HttpServletRequest request, HttpServletResponse response,
                           AccessDeniedException accessDeniedException) throws IOException, ServletException { 
            ResponseUtil.out(response, ResultJson.error(CommonEnum.NO_PERMISSION));
        }
    
    }

**配置**

实现了上述两个接口后，我们只需要在 WebSecurityConfigurerAdapter 的 configure(HttpSecurity http) 方法中配置即可。相关的配置片段如下：
    
     http.exceptionHandling().accessDeniedHandler(new SimpleAccessDeniedHandler()).authenticationEntryPoint(new SimpleAuthenticationEntryPoint())

## 2.验证权限失败抛出AccessDeniedException 不允许访问 ##

@Slf4j
    @Component("el")
    public class ElPermissionConfig { 
        /** * 判断接口是否有xxx:xxx权限 * * @param permission 权限 * @return {boolean} */
        public boolean check(String permission) { 
            log.info("需要权限：{}",permission);
            if (StrUtil.isBlank(permission)) { 
                return false;
            }
            SecurityUser user= (SecurityUser) SecurityUtils.getCurrentUser();
            if (user == null) { 
                return false;
            }
    
            return user
                    .getAuthorities()
                    .stream()
                    .map(GrantedAuthority::getAuthority)
                    .filter(StringUtils::hasText)
                    .anyMatch(x -> PatternMatchUtils.simpleMatch(permission, x));
        }
    }

当验证权限失败时抛出AccessDeniedException异常 不允许访问，而我明明配置了SimpleAccessDeniedHandler 来处理异常并返回提示信息。我仔细检查发现拦截AccessDeniedException异常的是**全局异常处理GlobalExceptionHandler**。

@ExceptionHandler(value =Exception.class)
        @ResponseBody
        public ResultJson exceptionHandler(HttpServletRequest req, Exception e){ 
            log.error("未知异常！原因是:",e);
            return ResultJson.error(CommonEnum.INTERNAL_SERVER_ERROR);
        }

## 3.解决方案 ##

**然后我就直接在全局异常处理GlobalExceptionHandler里添加**

/** * 处理AccessDeineHandler无权限异常 * @param req * @param e * @return */
        @ExceptionHandler(value = AccessDeniedException.class)
        @ResponseBody
        public ResultJson exceptionHandler(HttpServletRequest req, AccessDeniedException e){ 
            log.error("不允许访问！原因是:",e.getMessage());
            return ResultJson.error(CommonEnum.NO_PERMISSION);
        }