Solutions for logging on to AJAX requests based on Spring Security

When SpringSecurity is used for security control, in addition to the normal request URL Security Interception Based on the browser address bar, the return value cannot be processed when AJAX calls a request blocked by the permission. According to the default configuration, if the url of the AJAX request requires the user to log on but the user has not logged on or the session has expired, the request will be automatically blocked and forwarded to the logon interface for logon, ajax requests actually return the html code of the login page, which cannot be processed in json format. After the experiment, we can have two ideas:

1. Set the logon page to A. do page and check the page:

Boolean isAjax = "XMLHttpRequest". equals (request. getHeader ("X-Requested-"));
// For ajax requests
If (isAjax ){
String jsonObject = "{\" success \ ": false, \" isLoginRequired \ ": true }";
String contentType = "application/json ";
Response. setContentType (contentType );
Response. setCharacterEncoding ("UTF-8 ");
PrintWriter out = response. getWriter ();
Out. print (jsonObject );
Out. flush ();
Out. close ();
Return;
}

If ajax requests are returned, a json string is returned for foreground processing. If jquery is used at the front end, you can extend the ajax request, intercept the returned results of all ajax requests, and perform global processing:

(Function ($ ){
// Back up jquery's ajax Method
Var _ ajax = $. ajax;

// Rewrite jquery's ajax Method
$. Ajax = function (opt ){
// Back up the error and success methods in opt
Var fn = {
Error: function (XMLHttpRequest, textStatus, errorThrown ){
},
Success: function (data, textStatus ){
}
};
If (opt. error ){
Fn. error = opt. error;
}
If (opt. success ){
Fn. success = opt. success;
}

// Extended and enhanced processing
Var _ opt = $. extend (opt ,{
Error: function (XMLHttpRequest, textStatus, errorThrown ){
// Error method Enhancement
Fn. error (XMLHttpRequest, textStatus, errorThrown );
},
Success: function (data, textStatus ){
// Successful callback method Enhancement
If (data ){
If (! Data. success & data. isLoginRequired ){
ShowLoginWindow ();
} Else {
Fn. success (data, textStatus );
}
}

}
});
_ Ajax (_ opt );
};
}) (JQuery );

Function showLoginWindow (){
Alert ("Please log on"); // you can customize it as needed
}

This method is not very good: After ajax is globally blocked, the system prompts you to log on, and then it will not go down. If the pop-up user logon box appears to log on, after the user logs on successfully, the previous operation will not continue. You need to perform the operation again.

2,
There is also a solution that works in a similar way: Configure an <access-denied-handler in Security
Ref = "accessDeniedHandler"/>,
However, this is an access denial interception process. If the user has not logged on, it will not be blocked. You can consider creating a special user object by default during anonymous user access, this user permission is very low.
General user permissions, such as ROLE_USER, and we usually configure a resource with permissions. The minimum requirement is that the role ROLE_USER is the normal user identity. In this way, when a user requests this resource
Is usually forwarded to the 403 error page by default. If the access-denied-handler is configured
Do, and then in this do, judge and process according to the above method.

This solution is not good because there is no anonymous User statement, because a User object will be obtained when the current User is obtained through the User context. In this handler, you need to check whether the user is logged on. If the user is not logged on, go to the logon page to log on. If the user is logged on, go to the real 403 page, or json string.