Announcement Announcement Module
Collapse
No announcement yet.
How to handle AccessDeniedException in Spring Security? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to handle AccessDeniedException in Spring Security?

    i am using spring security 3, and i want whenever the AccessDeniedException is thrown, the user get's redirected to specific page:


    Code:
    org.springframework.security.access.AccessDeniedException: Access is denied
        	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
        	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
        	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
        	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:112)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
        	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
        	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
        	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
        	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
        	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
        	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
        	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
        	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
        	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
        	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
        	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        	at java.lang.Thread.run(Thread.java:619)
    so i tried to use access-denied-handler
    and here's the handler:


    Code:
    @Service("accessDeniedHandler")
        public class AccessDeniedHandler extends AccessDeniedHandlerImpl {
        
        	Log log = LogFactory.getLog(getClass());
        
        	@Override
        	public void handle(HttpServletRequest request,
        			HttpServletResponse response, AccessDeniedException exception)
        			throws IOException, ServletException {
        		log.info("############### Access Denied Handler!");
        		setErrorPage("/accessDenied");
        		super.handle(request, response, exception);
        	}
        
        }
    - security.xml:


    Code:
            <http use-expressions="true"  auto-config="true" >
        	     	  
        	<session-management session-fixation-protection="none"/>
        	    	    	    
                <remember-me  token-validity-seconds="1209600"/>
                
                <intercept-url pattern="/accessDenied" access="permitAll"/>
                
                <intercept-url pattern="/login" access="permitAll"/>
                <intercept-url pattern="/j_spring_security_check" access="permitAll" />
                       
                <intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll"/>
        		<intercept-url pattern="/xmlhttp/**" access="permitAll" />
        		<intercept-url pattern="/resources/**" access="permitAll" />
        		
        		<intercept-url pattern="**/faces/javax.faces.resource/**" access="permitAll"/>
        		<intercept-url pattern="**/xmlhttp/**" access="permitAll" />
        		<intercept-url pattern="**/resources/**" access="permitAll" />
        		
                
                <intercept-url pattern="/**" access="isAuthenticated()" />
        
        	<access-denied-handler ref="accessDeniedHandler" />
     
            <!-- tried the error page too with no luck -->
    
            <!-- 
            <access-denied-handler error-page="/accessDenied" />
            -->
           
        			
        	</http>
    but the issue: is that when the exception is thrown, it doesn't enter the accessDeniedHandler class, please advise.
    Last edited by msaleh; Jan 5th, 2012, 11:08 AM.

  • #2
    How did you configure Spring Security to use the AccessDeniedHandler? You will want to ensure to specify the <access-denied-handler ref="accessDeniedHandler"/>. See the Appendix for details. Can you post your Spring Security configuration? Another thing to note is that AccessDeniedHandler is probably not a @Service it is probably an @Component. Last be cautious about setting member variables inside methods (like setErrorPage) as this will likely lead to race conditions.

    Comment


    • #3
      i updated the question with xml configuration i am using.

      Comment


      • #4
        Can you include your entire Spring Security configuration? You stated that it never never enters your AccessDeniedHandler, what happens instead? For example, when I get AccessDeniedException I see an error page in the browser that says ".."

        Comment


        • #5
          just the exception is thrown in console, no other action.

          Comment

          Working...
          X