original articles, welcome reprint! Reprint must be retained: Author: jmppok; provenance http://blog.csdn.net/jmppok/article/details/44832641
1. Questions
In a Web project, there are typically two components:
1) static resources, such as HTML pages, JS scripts, pictures and so on.
2) API interface.
These two parts need to be managed uniformly in the case of permission control.
The spring framework itself provides a powerful security mechanism, but the following problems occur during use:
When a user accesses a page, the page itself often contains both static resources and API interfaces.
As we all know, if spring security determines that the current user does not have access to a resource, it automatically jumps to the login page or 403 page according to our configuration.
But in fact this may not be what we want: because for static resources, the browser is generally cached, once cached, no longer requests to the server, that is, even if there is no login or permissions, the static page may be displayed, but this time the API call to the service segment may be a failure. As mentioned earlier, when the API call fails, it automatically turns to the login page or 403 page (note this is a page) based on our configuration, which is not the result we want.
Because of the service invocation of the API, you should return a JSON or XML result to determine whether the call succeeds or fails and the reason for the failure is no login or permission. then, according to the call failure information, and then determine whether to jump to the landing page. instead of returning a login.html or 403.jsp directly from the background when invoking the API.
2. Workaround
1) Configure Unified Rights Management
Configure in Applicationcontext-security.xml:
The main two points are as follows:1) Custom entrypoint, do your own processing when spring automatically jumps to the login program
entry-point-ref= "Myauthenticationprocessingfilterentrypoint"
<beans:bean id= "Myauthenticationprocessingfilterentrypoint" class= " Com.lenovo.MyAuthenticationProcessingFilterEntryPoint "><beans:property name=" Loginformurl "value="/ Login.html "></beans:property></beans:bean>
Myauthenticationprocessingfilterentrypoint inherits Loginurlauthenticationentrypoint and overrides its commence method.
The request is judged in commence, such as whether the AJAX request (the line of sight in the code) is determined. You can also determine whether a URL, such as/api/**.
For eligible direct return a JSON data string, indicating no login, Access failed.
Other requests to call Super.commence () are handled in the same way as spring.
public class Myauthenticationprocessingfilterentrypoint extends Loginurlauthenticationentrypoint {/** * @author li GH4 April 1, 2015 afternoon 4:38:04 * * @Override public void commence (HttpServletRequest request, HttpServletResponse respons E, Authenticationexception authexception) throws IOException, Servletexception { HttpServletRequest HttpRequest = (httpservletrequest) request; if ("XMLHttpRequest". Equals (Httprequest.getheader ("X-requested-with"))) {map<string, object> error = new Hashmap<string, object> (); Error.put ("Success", false); Error.put ("Result", "loginfailure"); Error.put ("Data", "loginfailure"); Compatible with ExtJS form loading//renderutils.renderjson ((httpservletresponse) response, error); Response.setcontenttype ("JSON"); String json = new Gson (). ToJson (Error); Response.getwriter (). write (JSON); Response.getwriter (). Flush (); } else {super.commence (request, response, authexception); } }}
2) Add access denied Accessdeniedhandler processing<access-denied-handler ref= "Myauthenticationfailurehandler"/>
<pre name= "code" class= "HTML" ><beans:bean id= "Myauthenticationfailurehandler" class= " Com.lenovo.MyAuthenticationFailureHandler "/>
It is important to note that Accessdeniedhandler is triggered only if it has login and does not have permission. If the session is timed out or is not logged in, Spring will jump directly to the landing page.
public class Myauthenticationfailurehandler implements Accessdeniedhandler { /** * @author LIGH4 March 31, 2015 PM 4 : 15:59 * /@Override public void handle (HttpServletRequest arg0, HttpServletResponse arg1, Accessdeniedexception arg2) throws IOException, servletexception { loghelper.debug (this, "handler Accessdeniedexception ... "); HttpServletRequest HttpRequest = arg0; Is Ajax request? if ("XMLHttpRequest". Equals (Httprequest.getheader ("X-requested-with"))) { String msg = "{\" success\ ": false, \" Message\ ": \" authentication-failure\ "}"; Arg1.setcontenttype ("JSON"); OutputStream outputstream = Arg1.getoutputstream (); Outputstream.write (Msg.getbytes ()); Outputstream.flush ();}}}
The treatment of Accessdeniedhandler is similar to the above myauthenticationprocessingfilterentrypoint.
Determines whether Ajax or API calls are requested, if the JSON data is returned directly. Otherwise, it will be handled in the same way as spring.
Spring Security 3.x Normal login with Ajax login notes