Announcement Announcement Module
Collapse
No announcement yet.
Handling AccessDenied with Method Level Security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Handling AccessDenied with Method Level Security

    i have a method secured with spring security as follows:

    Code:
    @PreAuthorize("hasRole('add_user')")
        public void addUser(User user) ;
    and if a user with no enoguh permissions is trying to invoke it
    , an accessDenied exception is thrown:

    Code:
     org.springframework.security.access.AccessDeniedException: Access is denied
    this is what's expected, but the question is, why the defined access-denied-handler

    in security.xml configuration file is not working :

    Code:
    <access-denied-handler error-page="accessDenied"/>
    shouldn't the user gets redirected automatically to access denied page when this exception is thrown, or i have to define such behavior explicitly in code ?

    please advise.

    UPDATE: security configuration:

    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"  
        	xmlns:beans="http://www.springframework.org/schema/beans" 
        	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        	xmlns:util="http://www.springframework.org/schema/util"
        	xsi:schemaLocation="http://www.springframework.org/schema/beans
                  http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                  http://www.springframework.org/schema/security
                  http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
                  http://www.springframework.org/schema/util
                  http://www.springframework.org/schema/util/spring-util-3.1.xsd">
        
            
                <!-- Enable @pre, @post spring security method level annotations -->
        	    <global-method-security pre-post-annotations="enabled" />  	
        	    
        
        	    <http use-expressions="true"  auto-config="true" access-denied-page="/accessDenied">
        	     	  
        	 <session-management session-fixation-protection="none"/>
        	    	    	    
                <remember-me  token-validity-seconds="1209600"/>
                
        
                <intercept-url pattern="/accessDenied" access="permitAll"/>        
                <intercept-url pattern="/login" access="permitAll"/>
                <intercept-url pattern="/j_spring_security_check" access="permitAll" />
                
                
                <intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll" />
        		<intercept-url pattern="/xmlhttp/**" access="permitAll" />
        		<intercept-url pattern="/resources/**" access="permitAll" />		
        		<intercept-url pattern="/scripts/**" access="permitAll" />
        		<intercept-url pattern="/images/**" access="permitAll" />
        		<intercept-url pattern="/css/**" access="permitAll" />
        		
                
                <!-- All pages requires authentication (not anonymous user) -->
                
                <intercept-url pattern="/**" access="isAuthenticated()" />
                <intercept-url pattern="/faces/**" access="isAuthenticated()" />
                
        			    
        	    <form-login default-target-url="/"	 
        	    always-use-default-target="true"   			
        			login-processing-url="/j_spring_security_check"			
        			login-page="/login"
        			authentication-failure-url="/login?login_error=1"																
        		/>
        					
        		<logout logout-url="/logout" logout-success-url="/login" />		
        	</http>
        	
        	<authentication-manager alias="authenticationManager">		 	
        	  <authentication-provider user-service-ref="userDetailsServiceImpl"/>    
        	</authentication-manager>
        	
        	
        	</beans:beans>
    Last edited by sword101; Oct 27th, 2011, 11:21 AM.

  • #2
    Sword

    When you say not working what do you mean ? What DOES happen ? a 403 page or ?

    I use the configuration you posted and it does work ..however Spring's use of accessDeneid has a few conditions that can be difficult.

    Comment


    • #3
      i mean when accessDenied exception occur (due to user don't have permission on a service method), the exception is thrown and user is not redirected to the access denied page.

      Comment


      • #4
        OK

        in my case the access denied config is its own line not a part of the http element

        Code:
        <access-denied-handler errorPage="/accessDenied" />
        When you debug do you see a request for that page ? or not at all ?

        its important to know that accessDenied acts different depending on what exactly is happening .

        So for example if you user had insufficient AUTHORITIES then you will likely get to the accessDenied page, however if your user is otherwise unauthenticated because your user details service cannot find the user then you will not get accessDenied.

        You might try throwing a break point in the o.s.s.web.access.ExceptionTranslationFilter handleException method where you can see the accessDenied filter being called. It is not called in all cases of the accessDenied exception.

        Comment


        • #5
          following are debugs before AccessDeniedException is thrown:


          Code:
           DEBUG [http-bio-8080-exec-1] (PrePostAnnotationSecurityMetadataSource.java:93) - @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('add_user')) found on specific method: public void com.myapp.service.impl.UserServiceImpl.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException
              DEBUG [http-bio-8080-exec-1] (DelegatingMethodSecurityMetadataSource.java:66) - Adding security method [CacheKey[com.myapp.service.impl.UserServiceImpl; public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException]] with attributes [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
              DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:191) - Secure object: ReflectiveMethodInvocation: public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException; target is of class [com.myapp.service.impl.UserServiceImpl]; Attributes: [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
              DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c650d918: Principal: org.springframework.security.core.userdetails.User@db344023: Username: [email protected]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: access_viewUsers; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E6BBAC0CD4499B1455227DC6035CC882; Granted Authorities: access_viewUsers
              DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@1d1e082e, returned: -1
              DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.RoleVoter@1eab12f1, returned: 0
              DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: [email protected]bf1, returned: 0
          please advise.

          Comment

          Working...
          X