[关闭]
@TedZhou 2020-11-04T09:56:20.000000Z 字数 20133 阅读 764

Spring security with thymeleaf

java spring security thymeleaf

记录spring boot项目使用spring security的核心配置和相关组件。要点:
1. 支持自定义页面登录
2. 支持AJAX登录/登出
3. 支持RBAC权限控制
4. 支持增加多种认证方式
5. 支持集群部署(会话共享redis存储)
6. 支持SessionId放在Header的X-Auth-Token里

项目依赖 pom.xml

  1. <dependency>
  2.     <groupId>org.springframework.boot</groupId>
  3.     <artifactId>spring-boot-starter-web</artifactId>
  4. </dependency>
  5. <dependency>
  6.     <groupId>org.springframework.boot</groupId>
  7.     <artifactId>spring-boot-starter-security</artifactId>
  8. </dependency>
  9. <dependency>
  10.     <groupId>org.springframework.boot</groupId>
  11.     <artifactId>spring-boot-starter-thymeleaf</artifactId>
  12. </dependency>
  13. <dependency>
  14.     <groupId>org.thymeleaf.extras</groupId>
  15.     <artifactId>thymeleaf-extras-springsecurity5</artifactId>
  16. </dependency>
  17. <dependency>
  18.     <groupId>org.springframework.boot</groupId>
  19.     <artifactId>spring-boot-starter-data-redis</artifactId>
  20. </dependency>
  21. <dependency>
  22.     <groupId>org.springframework.session</groupId>
  23.     <artifactId>spring-session-data-redis</artifactId>
  24. </dependency>

相关参考:关于redis 关于thymeleaf

Security配置类 SecurityConfig.java

  1. import java.util.Arrays;
  2. import java.util.List;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.context.annotation.Bean;
  5. import org.springframework.context.annotation.Configuration;
  6. import org.springframework.security.access.AccessDecisionManager;
  7. import org.springframework.security.access.AccessDecisionVoter;
  8. import org.springframework.security.access.vote.AuthenticatedVoter;
  9. import org.springframework.security.access.vote.UnanimousBased;
  10. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  11. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  12. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  13. import org.springframework.security.config.annotation.web.builders.WebSecurity;
  14. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  15. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  16. import org.springframework.security.web.access.expression.WebExpressionVoter;
  17. import org.springframework.security.web.authentication.AuthenticationFailureHandler;
  18. import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
  19. import org.springframework.session.web.http.HttpSessionIdResolver;
  21. @Configuration
  22. @EnableWebSecurity
  23. @EnableGlobalMethodSecurity(prePostEnabled = true)
  24. public class SecurityConfig extends WebSecurityConfigurerAdapter {
  25.     @Autowired
  26.     private AuthProviderUsernamePassword authProviderUsernamePassword;
  27.     @Autowired
  28.     private AuthSuccessHandler authSuccessHandler;
  29.     @Autowired
  30.     private AuthFailureHandler authFailureHandler;
  31.     @Autowired
  32.     private ExitSuccessHandler exitSuccessHandler;
  34.     @Bean
  35.     protected AuthenticationFailureHandler authenticationFailureHandler() {
  36.         authFailureHandler.setDefaultFailureUrl("/login?error");
  37.         return authFailureHandler;
  38.     }
  40.     @Bean
  41.     protected LogoutSuccessHandler logoutSuccessHandler() {
  42.         exitSuccessHandler.setDefaultTargetUrl("/login?logout");
  43.         return exitSuccessHandler;
  44.     }
  46.     private static String[] INGORE_URLS = {"/login", "/error",};
  48.     @Override
  49.     public void configure(WebSecurity webSecurity) {
  50.         webSecurity.ignoring().antMatchers("/static/**");//忽略静态资源
  51.         webSecurity.ignoring().antMatchers("/favicon.ico");
  52.     }
  54.     @Override
  55.     protected void configure(HttpSecurity httpSecurity) throws Exception {
  56.         httpSecurity
  57.             .authorizeRequests()
  58.                 .antMatchers(INGORE_URLS).permitAll()
  59.                 .anyRequest().authenticated()
  60.                 .accessDecisionManager(accessDecisionManager())//如果不需要权限验证,去掉这句即可
  61.         .and()
  62.             .formLogin()
  63.                 .successHandler(authSuccessHandler)
  64.                 .failureHandler(authFailureHandler)
  65.                 .loginPage("/login")//.permitAll()
  66.         .and()
  67.             .logout()
  68.                 .logoutSuccessHandler(logoutSuccessHandler())//.permitAll()
  69.         //.and().rememberMe()
  70.         .and().csrf().disable();
  71.     }
  73.     @Override
  74.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {
  75.         auth.authenticationProvider(authProviderUsernamePassword);
  76.         //auth.authenticationProvider(authProvider2);可以增加多个认证方式,比如码验证等
  77.     }
  79.     @Bean
  80.     protected AccessDecisionManager accessDecisionManager() {
  81.         List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays.asList(
  82.             new WebExpressionVoter(),
  83.             authDecisionVoter(),//new RoleVoter(),
  84.             new AuthenticatedVoter());
  85.         return new UnanimousBased(decisionVoters);
  86.     }
  88.     @Bean
  89.     protected AuthDecisionVoter authDecisionVoter() {
  90.         return new AuthDecisionVoter();
  91.     }
  93.     @Bean
  94.     public HttpSessionIdResolver httpSessionIdResolver() {
  95.         return new HeaderCookieHttpSessionIdResolver();
  96.     }
  97. }

登录认证类 AuthProviderUsernamePassword.java

AuthenticationProvider提供用户认证的处理方法。如果有多种认证方式,可以实现多个类一并添加到AuthenticationManagerBuilder里即可。

  1. import org.springframework.beans.factory.annotation.Autowired;
  2. import org.springframework.security.authentication.AuthenticationProvider;
  3. import org.springframework.security.authentication.BadCredentialsException;
  4. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  5. import org.springframework.security.core.Authentication;
  6. import org.springframework.security.core.AuthenticationException;
  7. import org.springframework.stereotype.Component;
  9. @Component
  10. public class AuthProviderUsernamePassword implements AuthenticationProvider {
  11.     @Autowired 
  12.     AuthUserService authUserService;
  14.     @Override
  15.     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  16.         String username = authentication.getName();  
  17.         String password = authentication.getCredentials().toString();  
  18.         AuthUser userDetails = authUserService.loadUserByUsername(username);
  19.         if(userDetails == null){  
  20.             throw new BadCredentialsException("账号或密码错误");  
  21.         }  
  22.         if (!authUserService.checkPassword(userDetails, password)) {  
  23.             throw new BadCredentialsException("账号或密码不正确");  
  24.         }  
  25.         //认证校验通过后,封装UsernamePasswordAuthenticationToken返回  
  26.         return new UsernamePasswordAuthenticationToken(userDetails, password, authUserService.fillUserAuthorities(userDetails));  
  27.     }
  29.     @Override
  30.     public boolean supports(Class<?> authentication) {
  31.         return true;
  32.     }
  33. }

登录成功处理 AuthSuccessHandler.java

配置于formLogin().successHandler(),可选。

  1. import java.io.IOException;
  2. import javax.servlet.ServletException;
  3. import javax.servlet.http.HttpServletRequest;
  4. import javax.servlet.http.HttpServletResponse;
  5. import org.springframework.security.core.Authentication;
  6. import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
  7. import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
  8. import org.springframework.security.web.savedrequest.RequestCache;
  9. import org.springframework.security.web.savedrequest.SavedRequest;
  10. import org.springframework.stereotype.Component;
  12. @Component
  13. public class AuthSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
  14.     private RequestCache requestCache = new HttpSessionRequestCache();
  16.     @Override
  17.     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
  18.             Authentication authentication) throws ServletException, IOException {
  19.         //登录成功处理,比如记录登录日志
  20.         String ip = request.getRemoteAddr();
  21.         String targetUrl = "";
  22.         SavedRequest savedRequest = requestCache.getRequest(request, response);
  23.         if (savedRequest != null) {
  24.             targetUrl = savedRequest.getRedirectUrl();
  25.         }
  26.         AuthUser aUser = (AuthUser) authentication.getPrincipal();
  27.         System.out.printf("User %s login, ip: %s, url: ", aUser.getUsername(), ip, targetUrl);
  29.         if (WebUtils.isAjaxReq(request)) {//ajax登录
  30.             HttpSession session = request.getSession();
  31.             String sessionId = new Base64().encodeToString(session.getId().getBytes("UTF-8"));
  32.             response.sendError(200, "success!SESSION="+sessionId);
  33.             return;
  34.         }
  35.         super.onAuthenticationSuccess(request, response, authentication);
  36.     }
  37. }

登录失败处理 AuthFailureHandler.java

配置于formLogin().failureHandler(),可选。

  1. import java.io.IOException;
  2. import javax.servlet.ServletException;
  3. import javax.servlet.http.HttpServletRequest;
  4. import javax.servlet.http.HttpServletResponse;
  5. import org.springframework.security.core.Authentication;
  6. import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
  7. import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
  8. import org.springframework.security.web.savedrequest.RequestCache;
  9. import org.springframework.security.web.savedrequest.SavedRequest;
  10. import org.springframework.stereotype.Component;
  12. @Component
  13. public class AuthFailureHandler extends SimpleUrlAuthenticationFailureHandler {
  14.     @Override
  15.     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
  16.             AuthenticationException exception) throws IOException, ServletException {
  17.         String uaSummary = WebUtils.getUserAgentSummary(request);
  18.         String ip = request.getRemoteAddr();
  19.         String username = request.getParameter("username");
  20.         System.out.printf("User %s login failed, ip: %s, ua: %s", username, ip, uaSummary);
  21.         super.saveException(request, exception);
  22.         if (WebUtils.isAjaxReq(request)) {//ajax登录
  23.             //为什么用sendError会导致302重定向到login页面?
  24.             //--When you invoke sendError it will dispatch the request to /error (it the error handling code registered by Spring Boot. However, Spring Security will intercept /error and see that you are not authenticated and thus redirect you to a log in form.
  25.             response.sendError(403, exception.getMessage());
  26.             return;
  27.         }
  28.         response.sendRedirect("login?error");
  29.     }
  30. }

登出成功处理 ExitSuccessHandler.java

配置于logout().logoutSuccessHandler(),可选。

  1. import java.io.IOException;
  2. import javax.servlet.ServletException;
  3. import javax.servlet.http.HttpServletRequest;
  4. import javax.servlet.http.HttpServletResponse;
  5. import org.springframework.security.core.Authentication;
  6. import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
  7. import org.springframework.stereotype.Component;
  9. @Component
  10. public class ExitSuccessHandler extends SimpleUrlLogoutSuccessHandler {
  11.     @Override
  12.     public void onLogoutSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
  13.             throws IOException, ServletException {
  14.         if (WebUtils.isAjaxReq(request)) {//ajax登录
  15.             response.sendError(200, "success");
  16.             return;
  17.         }
  18.         super.onLogoutSuccess(request, response, authentication);
  19.     }
  20. }

解析SessionId的类 HeaderCookieHttpSessionIdResolver.java

增加优先从Header里找X-Auth-Token作为SessionId,以适应不支持Cookie的情况。
这个类就是把CookieHttpSessionIdResolver和HeaderHttpSessionIdResolver柔和在一起而已。
对应配置@Bean httpSessionIdResolver。

  1. import java.util.List;
  2. import javax.servlet.http.HttpServletRequest;
  3. import javax.servlet.http.HttpServletResponse;
  4. import org.springframework.session.web.http.CookieHttpSessionIdResolver;
  5. import org.springframework.session.web.http.HeaderHttpSessionIdResolver;
  6. import org.springframework.session.web.http.HttpSessionIdResolver;
  8. public class HeaderCookieHttpSessionIdResolver implements HttpSessionIdResolver {
  9.     protected HeaderHttpSessionIdResolver headerResolver = HeaderHttpSessionIdResolver.xAuthToken();
  10.     protected CookieHttpSessionIdResolver cookieResolver = new CookieHttpSessionIdResolver();
  12.     @Override
  13.     public List<String> resolveSessionIds(HttpServletRequest request) {
  14.         List<String> sessionIds = headerResolver.resolveSessionIds(request);
  15.         if (sessionIds.isEmpty()) {
  16.             sessionIds = cookieResolver.resolveSessionIds(request);
  17.         }
  18.         return sessionIds;
  19.     }
  21.     @Override
  22.     public void setSessionId(HttpServletRequest request, HttpServletResponse response, String sessionId) {
  23.         headerResolver.setSessionId(request, response, sessionId);
  24.         cookieResolver.setSessionId(request, response, sessionId);
  25.     }
  27.     @Override
  28.     public void expireSession(HttpServletRequest request, HttpServletResponse response) {
  29.         headerResolver.expireSession(request, response);
  30.         cookieResolver.expireSession(request, response);
  31.     }
  32. }

认证用户类 AuthUser.java

用户实体类,实现UserDetails接口。

  1. import java.io.Serializable;
  2. import java.util.Collection;
  3. import java.util.List;
  4. import javax.persistence.Id;
  5. import org.springframework.security.core.GrantedAuthority;
  6. import org.springframework.security.core.authority.AuthorityUtils;
  7. import org.springframework.security.core.userdetails.UserDetails;
  8. import org.springframework.util.StringUtils;
  9. import lombok.Data;
  11. @Data
  12. public class AuthUser implements UserDetails, Serializable {
  13.     private static final long serialVersionUID = -1572872798317304041L;
  15.     @Id
  16.     private Long id;
  17.     private String username;
  18.     private String password;
  20.     private Collection<? extends GrantedAuthority> authorities;
  22.     public Collection<? extends GrantedAuthority> fillPerms(List<String> perms) {
  23.         String authorityString = StringUtils.collectionToCommaDelimitedString(perms);
  24.         authorities = AuthorityUtils.commaSeparatedStringToAuthorityList(authorityString);
  25.         return authorities;
  26.     }
  28.     @Override
  29.     public Collection<? extends GrantedAuthority> getAuthorities() {
  30.         return authorities;
  31.     }
  33.     @Override
  34.     public boolean isAccountNonExpired() {
  35.         return true;
  36.     }
  38.     @Override
  39.     public boolean isAccountNonLocked() {
  40.         return true;
  41.     }
  43.     @Override
  44.     public boolean isCredentialsNonExpired() {
  45.         return true;
  46.     }
  48.     @Override
  49.     public boolean isEnabled() {
  50.         return true;
  51.     }
  52. }

认证用户服务类 AuthUserService.java

提供根据用户名获取用户的方法loadUserByUsername();提供用户的权限fillUserAuthorities()。

  1. import java.util.ArrayList;
  2. import java.util.Collection;
  3. import java.util.List;
  4. import org.joda.time.LocalDateTime;
  5. import org.springframework.security.core.GrantedAuthority;
  6. import org.springframework.security.core.userdetails.UserDetailsService;
  7. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  8. import org.springframework.stereotype.Service;
  10. @Service
  11. public class AuthUserService implements UserDetailsService {
  12.     @Override
  13.     public AuthUser loadUserByUsername(String username) throws UsernameNotFoundException {
  14.         //读取用户,一般是从数据库读取,这里随便new一个
  15.         AuthUser user = new AuthUser();// userDao.findByUsername(username);
  16.         user.setId(System.currentTimeMillis());
  17.         user.setUsername(username);
  18.         user.setPassword(username);
  19.         return user;
  20.     }
  22.     public boolean checkPassword(AuthUser user, String pwd) {
  23.         //判断用户密码,这里简单判断相等
  24.         if (pwd != null && pwd.equals(user.getPassword())) {
  25.             return true;
  26.         }
  27.         return false;
  28.     }
  30.     public Collection<? extends GrantedAuthority> fillUserAuthorities(AuthUser aUser) {
  31.         //获取用户权限,一般从数据库读取,并缓存。这里随便拼凑
  32.         List<String> perms = new ArrayList<>(); //permDao.findPermByUserId(aUser.getId());
  33.         LocalDateTime now = LocalDateTime.now();
  34.         perms.add("P"+now.getHourOfDay());
  35.         perms.add("P"+now.getMinuteOfHour());
  36.         perms.add("P"+now.getSecondOfMinute());
  37.         return aUser.fillPerms(perms);
  38.     }
  39. }

模拟用户示例:

  1. {
  2.     "id": 1598515192490,
  3.     "username": "test",
  4.     "password": "test",
  5.     "authorities": [{
  6.             "authority": "P15"
  7.         }, {
  8.             "authority": "P59"
  9.         }, {
  10.             "authority": "P52"
  11.         }
  12.     ]
  13. }

认证入口 AuthControll.java

这里提供loginPage配置的路径"/login"。如果暂不想自定义登录界面,去掉loginPage配置即可。

  1. import org.springframework.security.core.annotation.AuthenticationPrincipal;
  2. import org.springframework.stereotype.Controller;
  3. import org.springframework.ui.Model;
  4. import org.springframework.web.bind.annotation.PathVariable;
  5. import org.springframework.web.bind.annotation.RequestMapping;
  6. import org.springframework.web.bind.annotation.ResponseBody;
  8. @Controller
  9. public class AuthController {
  10.     @RequestMapping("/login")//登录入口
  11.     String login(String username, Model model) {
  12.         model.addAttribute("username", username);
  13.         return "login";
  14.     }
  16.     @RequestMapping("/")//主页
  17.     @ResponseBody
  18.     Object home(@AuthenticationPrincipal AuthUser currentUser) {
  19.         return currentUser;
  20.     }
  22.     @RequestMapping("/{path}")//测试用
  23.     @ResponseBody
  24.     Object url1(@PathVariable String path) {
  25.         if (path.contains("0")) {//模拟错误
  26.             path = String.valueOf(1/0);
  27.         }
  28.         return path;
  29.     }
  30. }

权限验证类 AuthDecisionVoter.java

配置AccessDecisionManager用于自定义权限验证投票器。验证的前提是获取待访问资源(url)相关的权限(getPermissionsByUrl)。验证的方法是,看用户所拥有的权限是否能够匹配url的权限。

Spring security另一种常用的权限控制方式是配置@EnableGlobalMethodSecurity(prePostEnabled = true),在方法上使用@PreAuthorize("hasPermission('PXX')")。但用这种方法注解的url,不支持用在thymeleaf模板的sec:authorize-url中。

ps1.thymeleaf 提供了前端判断权限的扩展,参见 thymeleaf-extras-springsecurity & thymeleaf sec:标签的使用

  1. import java.util.ArrayList;
  2. import java.util.Collection;
  3. import java.util.List;
  4. import org.springframework.security.access.AccessDecisionVoter;
  5. import org.springframework.security.access.ConfigAttribute;
  6. import org.springframework.security.access.SecurityConfig;
  7. import org.springframework.security.core.Authentication;
  8. import org.springframework.security.core.GrantedAuthority;
  9. import org.springframework.security.web.FilterInvocation;
  10. import org.springframework.util.StringUtils;
  12. public class RbacDecisionVoter implements AccessDecisionVoter<Object> {
  13.     static final String permitAll = "permitAll";
  15.     @Override
  16.     public boolean supports(ConfigAttribute attribute) {
  17.         return true;
  18.     }
  20.     @Override
  21.     public boolean supports(Class<?> clazz) {
  22.         return true;
  23.     }
  25.     @Override
  26.     public int vote(Authentication authentication, Object object, Collection<ConfigAttribute> attributes) {
  27.         if (authentication == null) {
  28.             return ACCESS_DENIED;
  29.         }
  31.         if (attributes != null) {
  32.             for (ConfigAttribute attribute : attributes) {
  33.                 if (permitAll.equals(attribute.toString())) {// skip permitAll
  34.                     return ACCESS_ABSTAIN;
  35.                 }
  36.             }
  37.         }
  39.         String requestUrl = ((FilterInvocation) object).getRequestUrl();// 当前请求的URL
  40.         Collection<ConfigAttribute> urlPerms = getPermissionsByUrl(requestUrl);// 能访问URL的权限
  41.         if (urlPerms == null || urlPerms.isEmpty()) {
  42.             return ACCESS_ABSTAIN;
  43.         }
  45.         int result = ACCESS_ABSTAIN;
  46.         Collection<? extends GrantedAuthority> userAuthorities = authentication.getAuthorities(); // 当前用户的权限
  47.         for (ConfigAttribute attribute : urlPerms) {
  48.             String urlPerm = attribute.getAttribute();
  49.             if (StringUtils.isEmpty(urlPerm)) {
  50.                 continue;
  51.             }
  53.             result = ACCESS_DENIED;
  54.             // Attempt to find a matching granted authority
  55.             for (GrantedAuthority authority : userAuthorities) {
  56.                 if (urlPerm.equals(authority.getAuthority())) {
  57.                     return ACCESS_GRANTED;
  58.                 }
  59.             }
  60.         }
  61.         return result;
  62.     }
  64.     Collection<ConfigAttribute> getPermissionsByUrl(String url) {
  65.         // 获取url的访问权限,一般从数据库读取,并缓存。这里随便拼凑
  66.         if ("/".equals(url)) {
  67.             return null;//根路径不限权
  68.         }
  69.         String n1 = url.substring(url.length()-1);
  70.         String n2 = url.substring(url.length()-2);
  71.         return SecurityConfig.createList("P"+n1, "P"+n2);
  72.     }
  73. }

自定义登录界面 login.html

  1. <!DOCTYPE html>
  2. <html lang="zh" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
  3. <head>
  4.     <title>登录</title>
  5.     <meta charset="utf-8"/>
  6.     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, shrink-to-fit=no"/>
  7.     <link rel="stylesheet" href="//cdn.bootcdn.net/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css"/>
  8.     <style type="text/css">
  9.       body{padding-top:40px; padding-bottom:40px; background-color:#eee;}
  10.      .form-signin{max-width:330px; padding:15px; margin:0 auto;}
  11.     </style>
  12. </head>
  13. <body>
  14.      <div id="root" class="container">
  15.         <form class="form-signin" method="post" th:action="@{/login}">
  16.             <h2 class="form-signin-heading">请登录</h2>
  17.             <div th:if="${param.logout}" class="alert alert-success" role="alert"><span>您已退出登录</span></div>
  18. 			<div th:if="${param.error}" class="alert alert-danger" role="alert"><span th:utext="${session['SPRING_SECURITY_LAST_EXCEPTION'].message}">密码错误</span></div>
  19.             <p>
  20.                 <label for="username" class="sr-only">用户账号:</label>
  21.                 <input type="text" id="username" name="username" class="form-control" placeholder="请输入账号" required autofocus>
  22.             </p>
  23.             <p>
  24.                 <label for="password" class="sr-only">用户密码:</label>
  25.                 <input type="password" name="password" class="form-control" placeholder="请输入密码" required>
  26.             </p>
  27.             <button class="btn btn-lg btn-primary btn-block" type="submit">确定</button>
  28.         </form>
  29.     </div>
  30. </body>
  31. </html>

自定义错误信息 CustomErrorAttributes.java

403-没有权限、404-找不到页面等所有错误和异常,都会被SpringBoot默认的BasicErrorController处理。如果有需要,可定制ErrorAttributes。

  1. import java.util.Map;
  2. import org.springframework.boot.web.servlet.error.DefaultErrorAttributes;
  3. import org.springframework.stereotype.Component;
  4. import org.springframework.web.context.request.WebRequest;
  6. @Component
  7. public class CustomErrorAttributes extends DefaultErrorAttributes {
  8.     @Override
  9.     public Map<String, Object> getErrorAttributes(WebRequest webRequest, boolean includeStackTrace) {
  10.         Map<String, Object> errorAttributes = super.getErrorAttributes(webRequest, includeStackTrace);
  11.         errorAttributes.put("code", errorAttributes.getOrDefault("status", 0));//自定义code属性
  12.         Throwable error = super.getError(webRequest);
  13.         if (error != null && error.getMessage() != null) {
  14.             String message = (String)errorAttributes.getOrDefault("message", "");
  15.             if (!message.equals(error.getMessage())) {
  16.                 errorAttributes.put("message", message+" "+error.getMessage());//增强message属性
  17.             }
  18.         }
  19.         return errorAttributes;
  20.     }
  21. }

非浏览器访问(produces="text/html")出错时,返回json数据,示例:

  1. {
  2.     "timestamp": "2020-08-27T09:05:11.178+0000",
  3.     "status": 500,
  4.     "error": "Internal Server Error",
  5.     "message": "/ by zero",
  6.     "path": "/demo/015",
  7.     "code": 500
  8. }

浏览器访问(produces="text/html")出错时,返回html页面。

自定义错误页面 error/4xx.html

SpringBoot默认的Whitelabel Error Page需要定制,只要把错误页面模板放在error路径下即可。模板中可使用上述ErrorAttributes中的字段。

  1. <!DOCTYPE html>
  2. <html lang="zh" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/extras/spring-security">
  3. <head>
  4.     <meta charset="utf-8"/>
  5.     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, shrink-to-fit=no"/>
  6.     <link rel="stylesheet" href="//cdn.bootcdn.net/ajax/libs/twitter-bootstrap/4.3.1/css/bootstrap.min.css"/>
  7. </head>
  8. <body>
  9.      <div id="root" class="container">
  10.         <div class="main">
  11.             <br/><h2 class="text-center"><span th:text="${status}">404</span>-<span th:text="${error}">Not Found</span></h2><br/>
  12.             <p class="text-center" th:if="${message}"><span th:text="${message}"></span></p>
  13.             <p class="text-center" th:if="${exception}"><span th:text="${exception}"></span></p>
  14.             <p class="text-center"><a class="btn btn-primary" th:href="@{'/'}">Home</a></p>
  15.         </div>
  16.     </div>
  17. </body>
  18. </html>

自定义错误页面 error/5xx.html

类似5xx.html,略。

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注