Announcement Announcement Module
Collapse
No announcement yet.
Access Denied Handler not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Denied Handler not working

    I have the following Spring security configuration:
    <security:http entry-point-ref="preAuthenticateEntryPoint">
    <security:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthenticationFilter" />
    <security:custom-filter ref="validSessionFilter" position="FIRST" />
    <security:intercept-url pattern="/admin.jsp" access="ROLE_SUPERVISOR" />
    <security:intercept-url pattern="/welcome.jsp" filters="none" />
    <security:intercept-url pattern="/invalidSession.jsp" filters="none" />
    <security:intercept-url pattern="/illegalAccess.htm" filters="none" />
    <security:access-denied-handler error-page="/illegalAccess.htm" />
    <security:logout invalidate-session="true" logout-url="/logout.jsp"
    logout-success-url="/logged_out.jsp" />
    </security:http>

    When access issues exist, the custom access denied page is not getting thrown. Instead I see browser specific 403 page. On the console, I see org.springframework.security.access.AccessDeniedEx ception being thrown instead of being handled by the handler.

    Am I doing anything wrong here?

  • #2
    jr

    see my thread here http://forum.springsource.org/showth...denied-handler

    I suspect you are seeing what I am seeing .

    In preauth ...If acesssDenied is thrown but the user is determined to be anonymous ( or if the securityHolder context is null ) then it will rethrow to the authenImpl point ...which in this case rethrows and you get a standard 403 .

    I have not yet found a with to deal with this but I am still trying . Its frustrating because in my case ,where preauth is x509 and the users is not anonymous, I can't catch the error properly as the context is cleared by the time I get the the standard 403 error page.

    Comment


    • #3
      jr

      Just updating ... I have so far been unable to handle access denied better.

      in my case (x509 with LDAP authorities) I implemented my own FilterBasedLDAPUserSearch and UserDetailsServices and changed the userNameNotFound exceptions to to accessDenied. However as I explained in the other thread, because the context is cleared the the handleException method of the exception translation filter redirects to the authentication entry point.

      I tried to change this behavior ( ie override etc ) but have been unable to do so yet. I am also concerned there may be unintended consequences from removing the isAnonymous check from that method.

      Comment


      • #4
        Custom Handler fixed this

        Thanks for your input. In my case user is not anonymous. When I used my own custom access denied handler, this was fixed.

        Comment


        • #5
          jr

          glad to hear that you got it fixed.

          If possible could you post your fix ? I have been unable to get a fix working .

          thanks

          Comment


          • #6
            My fix

            Here is the Class I wrote:
            import java.io.IOException;

            import javax.servlet.RequestDispatcher;
            import javax.servlet.ServletException;
            import javax.servlet.http.HttpServletRequest;
            import javax.servlet.http.HttpServletResponse;

            import org.springframework.security.access.AccessDeniedEx ception;
            import org.springframework.security.web.access.AccessDeni edHandler;

            public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
            private String errorPage;

            public AccessDeniedHandlerImpl() {
            }


            /* (non-Javadoc)
            * @see org.springframework.security.web.access.AccessDeni edHandler#handle(javax.servlet.http.HttpServletReq uest, javax.servlet.http.HttpServletResponse, org.springframework.security.access.AccessDeniedEx ception)
            */
            public void handle(HttpServletRequest request,
            HttpServletResponse response,
            AccessDeniedException accessDeniedException) throws IOException,
            ServletException {

            RequestDispatcher rd=request.getRequestDispatcher(errorPage);
            rd.forward(request, response);

            }




            public void setErrorPage(String errorPage) {
            this.errorPage = errorPage;
            }




            public String getErrorPage() {
            return errorPage;
            }




            }

            Here is how I configured Spring security:

            <security:http entry-point-ref="preAuthenticateEntryPoint">
            <security:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthenticationFilter" />
            <security:custom-filter ref="validSessionFilter" position="FIRST" />
            <security:intercept-url pattern="/admin.jsp" access="ROLE_SUPERVISOR" />
            <security:intercept-url pattern="/welcome.jsp" filters="none" />
            <security:intercept-url pattern="/invalidSession.jsp" filters="none" />
            <security:intercept-url pattern="/illegalAccess.htm" filters="none" />
            <security:intercept-url pattern="/loggedOut.jsp" filters="none" />
            <security:access-denied-handler ref="accessDeniedHandler" />
            <security:logout invalidate-session="true" logout-url="/logout.jsp"
            logout-success-url="/loggedOut.jsp" />
            </security:http>

            <bean id="accessDeniedHandler"
            class="xxx.springauthentication.AccessDeniedHandle rImpl">
            <property name="errorPage" value="/illegalAccess.htm" />
            </bean>
            Last edited by jrpalla; Nov 1st, 2011, 09:09 AM.

            Comment

            Working...
            X