Spring Security 中用@Secure注解来限定方法权限的时候,没有访问此方法权限的用户,访问时,没有跳转到指定的页面,而是抛出了异常:org.springframework.security.AccessDeniedException: Access is denied
org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:262)
org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
$Proxy8.findUserList(Unknown Source)
com.crystal.security.action.UserAction.viewUserList(UserAction.java:61)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:440)
com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:279)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:242)
com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept(DefaultWorkflowInterceptor.java:163)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:236)
com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:249)
org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:68)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:236)
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(ConversionErrorInterceptor.java:122)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:236)
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:236)
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:195)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:87)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:236)
利用@Secured的方法 @Secured({"ROLE_ADMIN"})
    public List<User> findUserList() {
        return _userDao.findUserList();
    }
applicationContext-security配置文件<global-method-security secured-annotations="enabled"></global-method-security> <http access-denied-page="/noAuthorities.jsp">
...
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=true"
default-target-url="/login.action" />
<logout logout-success-url="/login.jsp" /> <remember-me />
<http-basic />
</http> <authentication-manager alias="authenticationManager" /> <authentication-provider user-service-ref="securityManager">
<password-encoder hash="md5" />
</authentication-provider> <beans:bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="allowIfAllAbstainDecisions" value="false" />
<beans:property name="decisionVoters">
<beans:list>
<beans:bean
class="org.springframework.security.vote.RoleVoter" />
<beans:bean
class="org.springframework.security.vote.AuthenticatedVoter" />
</beans:list>
</beans:property>
</beans:bean> <beans:bean id="resourceSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<beans:property name="authenticationManager"
ref="authenticationManager" />
<beans:property name="accessDecisionManager"
ref="accessDecisionManager" />
<beans:property name="objectDefinitionSource"
ref="secureResourceFilterInvocationDefinitionSource" />
<beans:property name="observeOncePerRequest" value="false" />
<custom-filter after="LAST" />
</beans:bean> <beans:bean id="secureResourceFilterInvocationDefinitionSource"
class="com.crystal.security.interceptor.SecureResourceFilterInvocationDefinitionSource" />各位帮我看看,哪里出了问题,预想是没有权限访问方法的时候跳转到错误页面。

解决方案 »

  1.   

    org.springframework.security.AccessDeniedException: Access is denied
    访问被拒绝。
    如果语法正确,那是不是逻辑问题呢?
      

  2.   

    不需要配置一个类似<bean
                class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
                <property name="errorPage" value="${url.access.denied}" />
            </bean>
    否则跳哪去啊?
      

  3.   


    定义一个这个bean在什么地方引用?