来源:蜘蛛抓取(WebSpider)
时间:2016-08-30 03:40
标签:
shiro 注解权限控制
shiro直接对类进行注解,类似于@Controller的形式
shiro直接对类进行注解,类似于@Controller的形式
& 因为我司项目重构,我负责编写了一些模块,而每个模块Controller都有list,add等相同的方法,他们并不需要处理业务逻辑,只是将请求转到Service层处理完后,根据返回结果再转到相应的视图。所以我编写了Controller层的抽象类,并且在抽象类中实现常用的方法的方法且标记此类的常用注解@RequestMapping(&/list&)。
& 然后其他的所有想要具有 普通CRUD功能的Controller都继承这个抽象类,那就完全不用再写一遍了,而且根据类上的@RequestMapping&注解即可自动分路径,节约大量工作时间,和维护时间,每个类只需要设置自己的视图地址即可,将转发功能再向上提了一层。
&而在这里出了个问题,我司使用Shiro作为权限管理,而@RequiresPermissions注解目前还不能直接写在类上,只能针对某个方法进行注解,这就导致我的抽象类完不能工作了,于是有了本文。
首先我们先找到shiro进行权限处理的入口,可是我并不知道怎么找。。。于是我想到让他报错,然后看请求栈肯定能找到。
严重: Servlet.service() for servlet [spring] in context with path [] threw exception [Reque nested exception is org.apache.shiro.authz.UnauthenticatedException: This subject is anonymous - it does not have any identifying principals and authorization operations require an identity to check against.
A Subject instance will acquire these identifying principals automatically after a successful login is performed be executing org.apache.shiro.subject.Subject.login(AuthenticationToken) or when 'Remember Me' functionality is enabled by the SecurityManager.
This exception can also occur when a previously logged-in Subject has logged out which makes it anonymous again.
Because an identity is currently not known due to any of these conditions, authorization is denied.] with root cause
org.apache.shiro.authz.AuthorizationException: Not authorized to invoke method: ponent.response.RespJSON com.web.mvc.business.ProductController.listJson(java.util.Map,java.lang.Integer,java.lang.Integer)
at org.apache.shiro.authz.aop.AuthorizingAnnotationMethodInterceptor.assertAuthorized(&span style=&color:#FF0000;&&AuthorizingAnnotationMethodInterceptor.java:90&/span&)
at org.apache.shiro.authz.aop.AnnotationsAuthorizingMethodInterceptor.assertAuthorized(AnnotationsAuthorizingMethodInterceptor.java:100)
at org.apache.shiro.authz.aop.AuthorizingMethodInterceptor.invoke(AuthorizingMethodInterceptor.java:38)
at org.apache.shiro.spring.security.interceptor.AopAllianceAnnotationsAuthorizingMethodInterceptor.invoke(AopAllianceAnnotationsAuthorizingMethodInterceptor.java:115)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:646)
at com.web.mvc.business.ProductController$$EnhancerByCGLIB$$76eb0343.listJson(&generated&)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:214)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:748)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:945)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:876)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:931)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:822)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:807)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
我们直接进红色那个类里打个断点,可以得到如下请求栈:
看到好多AOP,想着也是,要判断权限肯定得AOP才方便。
我们一个一个的下去,看看他都经过了什么处理。
就在第二行:
AnnotationsAuthorizingMethodInterceptor,这个类里:
protected void assertAuthorized(MethodInvocation methodInvocation) throws AuthorizationException {
//default implementation just ensures no deny votes are cast:
Collection&AuthorizingAnnotationMethodInterceptor& aamis = getMethodInterceptors();
if (aamis != null && !aamis.isEmpty()) {
for (AuthorizingAnnotationMethodInterceptor aami : aamis) {
if (aami.supports(methodInvocation)) {
aami.assertAuthorized(methodInvocation);
}在这里他获得了权限拦截器,并且逐个去验证,再去找他的实现类:AopAllianceAnnotationsAuthorizingMethodInterceptor
public AopAllianceAnnotationsAuthorizingMethodInterceptor() {
List&AuthorizingAnnotationMethodInterceptor& interceptors =
new ArrayList&AuthorizingAnnotationMethodInterceptor&(5);
//use a Spring-specific Annotation resolver - Spring's AnnotationUtils is nicer than the
//raw JDK resolution process.
AnnotationResolver resolver = new SpringAnnotationResolver();
//we can re-use the same resolver instance - it does not retain state:
interceptors.add(new RoleAnnotationMethodInterceptor(resolver));
interceptors.add(new PermissionAnnotationMethodInterceptor(resolver));
interceptors.add(new AuthenticatedAnnotationMethodInterceptor(resolver));
interceptors.add(new UserAnnotationMethodInterceptor(resolver));
interceptors.add(new GuestAnnotationMethodInterceptor(resolver));
setMethodInterceptors(interceptors);
}确实,在这里将各个权限的拦截器放进了拦截器栈,此时找到这里我就找不到了。。但是我知道这个AopAllianceAnnotationsAuthorizingMethodInterceptor肯定是要被创建出来的,所以把断点打在构造器中,得到如下请求栈:那明显第二个AuthorizationAttributeSourceAdvisor就是了嘛,Spring在启动的时候初始化的public
public AuthorizationAttributeSourceAdvisor() {
setAdvice(new AopAllianceAnnotationsAuthorizingMethodInterceptor());
}Spring知道这东西,那肯定是我们配置的,搜索一下项目,发现有这个:
&bean class=&org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor&&
&property name=&securityManager& ref=&securityManager&/&
&/bean&哎,找了半天,却在眼前而不自知,然而此时根据上面的分析我们也知道了1.shiro根据权限拦截器栈中的权限拦截器去验证权限(AopAllianceAnnotationsAuthorizingMethodInterceptor)2.看名字就知道PermissionAnnotationMethodInterceptor这个是和我们所需的注解有关,他继承了AuthorizingAnnotationMethodInterceptor/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements.
See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership.
The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* &License&); you may not use this file except in compliance
* with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* &AS IS& BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied.
See the License for the
* specific language governing permissions and limitations
* under the License.
package org.apache.shiro.authz.
import org.apache.shiro.aop.AnnotationMethodI
import org.apache.shiro.aop.AnnotationR
import org.apache.shiro.aop.MethodI
import org.apache.shiro.authz.AuthorizationE
* An &tt&AnnotationMethodInterceptor&/tt& that asserts the calling code is authorized to execute the method
* before allowing the invocation to continue by inspecting code annotations to perform an access control check.
* @since 0.1
public abstract class AuthorizingAnnotationMethodInterceptor extends AnnotationMethodInterceptor
* Constructor that ensures the internal &code&handler&/code& is set which will be used to perform the
* authorization assertion checks when a supported annotation is encountered.
* @param handler the internal &code&handler&/code& used to perform authorization assertion checks when a
* supported annotation is encountered.
public AuthorizingAnnotationMethodInterceptor( AuthorizingAnnotationHandler handler ) {
super(handler);
* @param handler
* @param resolver
* @since 1.1
public AuthorizingAnnotationMethodInterceptor( AuthorizingAnnotationHandler handler,
AnnotationResolver resolver) {
super(handler, resolver);
* Ensures the &code&methodInvocation&/code& is allowed to execute first before proceeding by calling the
* {@link #assertAuthorized(org.apache.shiro.aop.MethodInvocation) assertAuthorized} method first.
* @param methodInvocation the method invocation to check for authorization prior to allowing it to proceed/execute.
* @return the return value from the method invocation (the value of {@link org.apache.shiro.aop.MethodInvocation#proceed() MethodInvocation.proceed()}).
* @throws org.apache.shiro.authz.AuthorizationException if the &code&MethodInvocation&/code& is not allowed to proceed.
* @throws Throwable if any other error occurs.
public Object invoke(MethodInvocation methodInvocation) throws Throwable {
assertAuthorized(methodInvocation);
return methodInvocation.proceed();
* Ensures the calling Subject is authorized to execute the specified &code&MethodInvocation&/code&.
* As this is an AnnotationMethodInterceptor, this implementation merely delegates to the internal
* {@link AuthorizingAnnotationHandler AuthorizingAnnotationHandler} by first acquiring the annotation by
* calling {@link #getAnnotation(MethodInvocation) getAnnotation(methodInvocation)} and then calls
* {@link AuthorizingAnnotationHandler#assertAuthorized(java.lang.annotation.Annotation) handler.assertAuthorized(annotation)}.
* @param mi the &code&MethodInvocation&/code& to check to see if it is allowed to proceed/execute.
* @throws AuthorizationException if the method invocation is not allowed to continue/execute.
&span style=&color:#FF0000;&&
public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
((AuthorizingAnnotationHandler)getHandler()).assertAuthorized(getAnnotation(mi));
catch(AuthorizationException ae) {
// Annotation handler doesn't know why it was called, so add the information here if possible.
// Don't wrap the exception here since we don't want to mask the specific exception, such as
// UnauthenticatedException etc.
if (ae.getCause() == null) ae.initCause(new AuthorizationException(&Not authorized to invoke method: & + mi.getMethod()));
而红色部分就是我们第一次断点的地方,再进入assertAuthorized看看怎么认证的,他有5个实现,我们当然是进入PermissionAnnotationHandler,
public void assertAuthorized(Annotation a) throws AuthorizationException {
if (!(a instanceof RequiresPermissions))
RequiresPermissions rpAnnotation = (RequiresPermissions)
String[] perms = getAnnotationValue(a);
Subject subject = getSubject();
if (perms.length == 1) {
subject.checkPermission(perms[0]);
if (Logical.AND.equals(rpAnnotation.logical())) {
getSubject().checkPermissions(perms);
if (Logical.OR.equals(rpAnnotation.logical())) {
// Avoid processing exceptions unnecessarily - &delay& throwing the exception by calling hasRole first
boolean hasAtLeastOnePermission =
for (String permission : perms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission =
// Cause the exception if none of the role match, note that the exception message will be a bit misleading
if (!hasAtLeastOnePermission) getSubject().checkPermission(perms[0]);
}OK,重点就是这里,他获得了方法上的注解,然后用注解value去判断是否有权限了,而我们想要组合该方法所属类上的注解,那我们肯定得改这个方法,问题是看这个方法的签名,直接接收了一个注解,不给我们获取类注解的机会,那肯定又得重新写一个自己的类。于是有了如下:MyPermissionAnnotationHandler
public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
RequiresPermissions methodAnnotation = mi.getMethod().getAnnotation(RequiresPermissions.class);
String[] methodPerms = methodAnnotation.value();
Subject subject = getSubject();
&span style=&color:#FF0000;&&
&strong&if (methodPerms.length == 1)&/strong& {
RequiresPermissions classAnnotation = mi.getThis().getClass().getAnnotation(RequiresPermissions.class);
if(null != classAnnotation) {
String[] classPerms = classAnnotation.value();
subject.checkPermission(classPerms[0] + methodPerms[0]);
subject.checkPermission(methodPerms[0]);
if (Logical.AND.equals(methodAnnotation.logical())) {
getSubject().checkPermissions(methodPerms);
if (Logical.OR.equals(methodAnnotation.logical())) {
// Avoid processing exceptions unnecessarily - &delay& throwing the exception by calling hasRole first
boolean hasAtLeastOnePermission =
for (String permission : methodPerms) if (getSubject().isPermitted(permission)) hasAtLeastOnePermission =
// Cause the exception if none of the role match, note that the exception message will be a bit misleading
if (!hasAtLeastOnePermission) getSubject().checkPermission(methodPerms[0]);
}红色部分即实现所属类注解value和方法注解value的拼接并验证,方法写完了,我们还得有地方调用,其实就是AuthorizingAnnotationMethodInterceptor的实现类去调用了assertAuthorized这个方法。所以我们自己写一个并且继承他:MyPermissionAnnotationMethodInterceptorpublic class MyPermissionAnnotationMethodInterceptor
extends AuthorizingAnnotationMethodInterceptor {
public MyPermissionAnnotationMethodInterceptor() {
super(new PermissionAnnotationHandler());
&span style=&color:#FF0000;&&
public MyPermissionAnnotationMethodInterceptor(AnnotationResolver resolver) {
super(new MyPermissionAnnotationHandler(), resolver);
public void assertAuthorized(MethodInvocation mi) throws AuthorizationException {
&span style=&color:#FF0000;&&
AuthorizingAnnotationHandler handler = (AuthorizingAnnotationHandler) getHandler();
if(handler instanceof MyPermissionAnnotationHandler) {
((MyPermissionAnnotationHandler) handler).assertAuthorized(mi);
handler.assertAuthorized(getAnnotation(mi));
catch(AuthorizationException ae) {
// Annotation handler doesn't know why it was called, so add the information here if possible.
// Don't wrap the exception here since we don't want to mask the specific exception, such as
// UnauthenticatedException etc.
if (ae.getCause() == null) ae.initCause(new AuthorizationException(&Not authorized to invoke method: & + mi.getMethod()));
}红色部分的构造器,设置我们自己的Handler,下面的则是因为我们自己实现的Handler有一个在父类没有定义的函数,所以需要判断并强转才能执行我们需要的方法。最后,在设置拦截器栈的地方(AopAllianceAnnotationsAuthorizingMethodInterceptor),我们肯定要写成自己的:MyAoppublic class MyAop extends AnnotationsAuthorizingMethodInterceptor implements MethodInterceptor {
public MyAop() {
List&AuthorizingAnnotationMethodInterceptor& interceptors =
new ArrayList&AuthorizingAnnotationMethodInterceptor&(5);
//use a Spring-specific Annotation resolver - Spring's AnnotationUtils is nicer than the
//raw JDK resolution process.
AnnotationResolver resolver = new SpringAnnotationResolver();
//we can re-use the same resolver instance - it does not retain state:
interceptors.add(new RoleAnnotationMethodInterceptor(resolver));
&span style=&color:#FF0000;&&interceptors.add(new MyPermissionAnnotationMethodInterceptor(resolver));&/span&
interceptors.add(new AuthenticatedAnnotationMethodInterceptor(resolver));
interceptors.add(new UserAnnotationMethodInterceptor(resolver));
interceptors.add(new GuestAnnotationMethodInterceptor(resolver));
setMethodInterceptors(interceptors);
}最后的最后,spring的配置文件中的定义要换成自己的入口public class MyAuthorizationAttributeSourceAdvisor
extends StaticMethodMatcherPointcutAdvisor {
private static final Logger log = LoggerFactory.getLogger(MyAuthorizationAttributeSourceAdvisor.class);
private static final Class&? extends Annotation&[] AUTHZ_ANNOTATION_CLASSES =
new Class[] {
RequiresPermissions.class, RequiresRoles.class,
RequiresUser.class, RequiresGuest.class, RequiresAuthentication.class
protected SecurityManager securityManager =
* Create a new AuthorizationAttributeSourceAdvisor.
&span style=&color:#FF0000;&&
public MyAuthorizationAttributeSourceAdvisor() {
setAdvice(new MyAop());
}&/span&&bean class=&ponent.shiro.MyAuthorizationAttributeSourceAdvisor&&
&property name=&securityManager& ref=&securityManager&/&
&/bean&这样就大功搞成,直接把注解写在类上,多方便~~回顾一下:1.修改shiro入口,将原本spring提供的org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor换成自己的,修改其构造函数中new的对象,new成自己的aop实现2.将spring提供的AopAllianceAnnotationsAuthorizingMethodInterceptor重写一个自己的,基本就是复制他的源码,然后修改权限验证拦截器栈的设置,想增加也可在这里增加,我现在只需要修改权限验证的拦截器。3.实现自己的权限验证拦截器,因为我们需要类上的注解,所以要执行不同的方法。4.实现自己的权限处理器,因为我们需要类上的注解,在这里我们需要接收到执行的方法,用该方法获取类上的注解,和该方法的注解,最后拼接出最终的权限修饰符去验证,到此就OKshiro的流程还算简单,改起来也算容易,我这里是有一个小问题的,那就是拼接类注解是在方法注解的value只有一个的时候,如果有多个就不去拼类上的注解了,我想方法上的权限注解value也应该只有一个吧,毕竟直接针对某个权限,而不是角色了。转载请注明原创地址
我的热门文章
即使是一小步也想与你分享&&&&spingmvc集成shiro实现权限注解
spingmvc集成shiro实现权限注解
spingmvc集成shiro实现权限注解,通过注解的方式实现权限管理
若举报审核通过,可奖励20下载分
被举报人:
举报的资源分:
请选择类型
资源无法下载
资源无法使用
标题与实际内容不符
含有危害国家安全内容
含有反动色情等内容
含广告内容
版权问题,侵犯个人或公司的版权
*详细原因:
VIP下载&&免积分60元/年(1200次)
您可能还需要
开发技术下载排行Shiro注解多个view权限,注解后怎么来用它控制JSP页面显示相对应的权限显示_百度知道15305人阅读
spring(2)
shiro(1)
第一种使用shiro的注解方式:
&bean class=&org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator& depends-on=&lifecycleBeanPostProcessor&&
&property name=&proxyTargetClass& value=&true& /&
&/bean&&bean class=&org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor&&
&property name=&securityManager& ref=&securityManager&/&
配置上,在方法头上加上注解就可以了,网上资料很多,就不详说了
使用自定义注解
先上自定义注解:
package mon.
import java.lang.annotation.ElementT
import java.lang.annotation.R
import java.lang.annotation.RetentionP
import java.lang.annotation.T
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.METHOD})//适用的地方 有 方法上
public @interface CheckPermission {
String [] permission();//可以传多个权限标示
注解使用:
基本用户信息
* @author {huzhe}
@RequestMapping(value = &/saveUser&)
@CheckPermission(permission={BusinessPermissionLabel.permission_addChildAccount})
public OperationPrompt saveUser(UserBasicInfo userbaseInfo,String addRoleIds) {
多个权限标示使用逗号隔开;
第二种:使用spring aop&& 方法验证&& 基于上边的自定义&&&
使用shiro验证是否标示是否有权限&
currentUser.isPermitted(per)
package mon.
import org.apache.shiro.SecurityU
import org.apache.shiro.authz.AuthorizationE
import org.apache.shiro.subject.S
import org.aspectj.lang.ProceedingJoinP
import org.aspectj.lang.annotation.A
import org.aspectj.lang.annotation.A
import org.
@Component
//次方法根据spring aop贴入方法 进行权限验证
public class PermissionInterceptor {
@Around(&execution(* com.isoftstone.dcf.portal..*(..)) && @annotation(checkPermission)&)
public Object doInterceptor(ProceedingJoinPoint pjp,CheckPermission checkPermission) throws Throwable{
long time = new java.util.Date().getTime();
boolean isPermissioin =
Subject currentUser = SecurityUtils.getSubject();
//没有获得注解
及不需要权限-- 则直接运行
if(null!=checkPermission){
String [] permission = checkPermission.permission();
for(String per:permission){
//当前登录人 具有权限
if(currentUser.isPermitted(per)){
isPermissioin =
isPermissioin =
System.out.println(&(AOP)拦截到了:&+pjp.getSignature().getName()+&方法所用时间:&+time+&到&+new java.util.Date().getTime());
if(isPermissioin){
//有执行方法或权限不拦截
return pjp.proceed();
//抛出无权限异常
throw new AuthorizationException();
需要在spring配置文件中开始aop注解:
&!-- 打开aop使用aop进行权限验证 --&
&aop:aspectj-autoproxy /&
方式3:使用spring mvc拦截所有url验证:
&!-- 使用spring mvc拦截器进行权限验证 --&
&mvc:interceptors&
&bean class=&mon.permission.PermissionInterceptorAdapter& /&
&/mvc:interceptors&
这个方法实现大致一样:
package mon.
import javax.servlet.http.HttpServletR
import javax.servlet.http.HttpServletR
import org.apache.shiro.SecurityU
import org.apache.shiro.authz.AuthorizationE
import org.apache.shiro.subject.S
import org.springframework.web.method.HandlerM
import org.springframework.web.servlet.handler.HandlerInterceptorA
//次方法根据spring mvc拦截器进行权限验证
public class PermissionInterceptorAdapter extends HandlerInterceptorAdapter
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
HandlerMethod handler2=(HandlerMethod)
CheckPermission checkPermission = handler2.getMethodAnnotation(CheckPermission.class);
long time = new java.util.Date().getTime();
boolean isPermissioin =
Subject currentUser = SecurityUtils.getSubject();
//没有获得注解
及不需要权限-- 则直接运行
if(null!=checkPermission){
String [] permission = checkPermission.permission();
for(String per:permission){
//当前登录人 具有权限
if(currentUser.isPermitted(per)){
isPermissioin =
isPermissioin =
System.out.println(&拦截到了mvc方法:&+handler2.getMethod()+&方法所用时间:&+time+&到&+new java.util.Date().getTime());
if(isPermissioin){
//有执行方法或权限不拦截
//跑出无权限异常
throw new AuthorizationException();
&除了spring和shiro使用的包:
&dependency&
&groupId&org.aspectj&/groupId&
&artifactId&aspectjrt&/artifactId&
&version&1.8.0&/version&
&/dependency&
&dependency&
&groupId&org.aspectj&/groupId&
&artifactId&aspectjweaver&/artifactId&
&version&1.8.0&/version&
&/dependency&
spring自定义异常拦截:
package mon.
import java.io.IOE
import java.sql.SQLE
import javax.servlet.http.HttpServletR
import javax.servlet.http.HttpServletR
import org.apache.shiro.authz.AuthorizationE
import org.apache.shiro.authz.UnauthorizedE
import org.
import org.springframework.web.servlet.HandlerExceptionR
import org.springframework.web.servlet.ModelAndV
import mon.bo.PermissioinP
* 自定义权限异常处理
* @author Administrator
@Component
public class MyHandlerExceptionResolver implements HandlerExceptionResolver
public ModelAndView resolveException(HttpServletRequest request,
HttpServletResponse response, Object object, Exception exception) {
//是否为ajax请求
String requestType = request.getHeader(&X-Requested-With&);
if(exception instanceof AuthorizationException){
response.setStatus(413);//无权限异常
主要用于ajax请求返回
response.addHeader(&Error-Json&, &{code:413,msg:'nopermission',script:''}&);
response.setContentType(&text/charset=utf-8&);
if(&XMLHttpRequest&.equals(requestType)){
return new ModelAndView();
return new ModelAndView(&redirect:/html/413.html&);
马上下班了,写的比较着急,有问题的话,大家留言,互相讨论!
参考知识库
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
访问:292997次
积分:2073
积分:2073
排名:第13381名
原创:24篇
评论:68条
(2)(4)(2)(1)(2)(1)(3)(2)(2)(1)(1)(12)
