From 82d29dc7cd64bd968dc7ac2eaef54715465e3249 Mon Sep 17 00:00:00 2001 From: Tim <135014430+nagisa77@users.noreply.github.com> Date: Mon, 30 Jun 2025 20:20:27 +0800 Subject: [PATCH] Return 401 for admin access without permission --- .../config/CustomAccessDeniedHandler.java | 25 +++++++++++++++++++ .../com/openisle/config/SecurityConfig.java | 3 +++ 2 files changed, 28 insertions(+) create mode 100644 src/main/java/com/openisle/config/CustomAccessDeniedHandler.java diff --git a/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java b/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java new file mode 100644 index 000000000..992b06f04 --- /dev/null +++ b/src/main/java/com/openisle/config/CustomAccessDeniedHandler.java @@ -0,0 +1,25 @@ +package com.openisle.config; + +import jakarta.servlet.ServletException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.web.access.AccessDeniedHandler; +import org.springframework.stereotype.Component; + +import java.io.IOException; + +/** + * Returns 401 Unauthorized when an authenticated user lacks required privileges. + */ +@Component +public class CustomAccessDeniedHandler implements AccessDeniedHandler { + @Override + public void handle(HttpServletRequest request, + HttpServletResponse response, + AccessDeniedException accessDeniedException) throws IOException, ServletException { + response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + response.setContentType("application/json"); + response.getWriter().write("{\"error\": \"Unauthorized\"}"); + } +} diff --git a/src/main/java/com/openisle/config/SecurityConfig.java b/src/main/java/com/openisle/config/SecurityConfig.java index d5ca99684..09ccb2761 100644 --- a/src/main/java/com/openisle/config/SecurityConfig.java +++ b/src/main/java/com/openisle/config/SecurityConfig.java @@ -17,6 +17,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.web.filter.OncePerRequestFilter; @@ -31,6 +32,7 @@ import java.io.IOException; public class SecurityConfig { private final JwtService jwtService; private final UserRepository userRepository; + private final AccessDeniedHandler customAccessDeniedHandler; @Bean public PasswordEncoder passwordEncoder() { @@ -61,6 +63,7 @@ public class SecurityConfig { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.csrf(csrf -> csrf.disable()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .exceptionHandling(eh -> eh.accessDeniedHandler(customAccessDeniedHandler)) .authorizeHttpRequests(auth -> auth .requestMatchers(HttpMethod.POST, "/api/auth/**").permitAll() .requestMatchers(HttpMethod.GET, "/api/posts/**").permitAll()