在SecurityConfig中指定了自定义的权限校验业务:
http
.authorizeRequests()
.antMatchers("/**")
.access("@rbacauthorityservice.hasPermission(request,authentication)")
校验程序:
public boolean hasPermission(
HttpServletRequest request
, Authentication authentication
) throws NoneTokenException {
String uri=request.getRequestURI();
HashMap<Integer, Operator> attrs = getAttributes();
loadIgnorePaths();
if (authentication.getPrincipal().equals("anonymousUser")) {
// 如果是匿名用户,就返回无权限
// 因为是后台管理类,所以这边不允许放通匿名请求
for(String path:ignorePath){
if(matcher.match(path,uri)){
return true;
}
}
throw new AccessDeniedException("token校验失败");
}
在最后如果请求不匹配所有的静态资源url,那么就抛出AccessDeniedException异常
但是我在Config中配置了handler:
.and()
.exceptionHandling()
.accessDeniedHandler(new SimpleAccessDeniedHandler())
public class SimpleAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(
HttpServletRequest request
, HttpServletResponse response
, AccessDeniedException accessDeniedException
) throws IOException, ServletException {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
response.setCharacterEncoding("utf-8");
PrintWriter printWriter = response.getWriter();
printWriter.print(ResultBean.error("校验失败,无权限"));
printWriter.flush();
printWriter.close();
}
}
在hasPermission中抛出的Exception并不会运行上面的这段代码依然返回:
那咋办嘛