chore: add CustomAccessDeniedHandler

bs32g1038 · Apr 24, 2024 · d2f32df · d2f32df
1 parent 682ae26
commit d2f32df
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/server/src/main/java/com/jixialunbi/config/SecurityConfig.java b/server/src/main/java/com/jixialunbi/config/SecurityConfig.java
@@ -2,6 +2,7 @@
 
 import com.jixialunbi.security.AuthEntryPointJwt;
 import com.jixialunbi.security.AuthTokenFilter;
+import com.jixialunbi.security.CustomAccessDeniedHandler;
 import com.jixialunbi.service.UserDetailsServiceImpl;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -43,6 +44,9 @@ public class SecurityConfig {
     @Autowired
     private AuthEntryPointJwt unauthorizedHandler;
 
+    @Autowired
+    private CustomAccessDeniedHandler customAccessDeniedHandler;
+
     @Bean
     public AuthTokenFilter authenticationJwtTokenFilter() {
         return new AuthTokenFilter();
@@ -81,7 +85,10 @@ public SecurityFilterChain filterChain(HttpSecurity httpSecurity, CorsConfigurat
         httpSecurity
                 .cors(cors -> cors.configurationSource(request -> corsConfiguration))
                 .csrf(e -> e.disable())
-                .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler))
+                .exceptionHandling(exception -> {
+                    exception.accessDeniedHandler(customAccessDeniedHandler);
+                    exception.authenticationEntryPoint(unauthorizedHandler);
+                })
                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                 .authorizeHttpRequests(auth ->
                         auth.requestMatchers(AUTH_WHITELIST).permitAll().anyRequest().authenticated()

diff --git a/server/src/main/java/com/jixialunbi/security/CustomAccessDeniedHandler.java b/server/src/main/java/com/jixialunbi/security/CustomAccessDeniedHandler.java
@@ -0,0 +1,21 @@
+package com.jixialunbi.security;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        response.getWriter().write("Forbidden");
+    }
+
+}