Announcement Announcement Module
Collapse
No announcement yet.
access-denied-handler + spring security 3.2.0.M1 Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • access-denied-handler + spring security 3.2.0.M1

    Hi,

    Java 1.7u21
    Spring Security 3.2.0.M1
    Spring 3.2.3.RELEASE

    I seem to be having a problem with the hand-off to an access-denied-handler and Spring Security 3.2.0.M1. I'm unsure if this is my issue or Spring Security issue.

    Please note, that I *am* using Async despatch to avail of Web 3.0 and Spring 3 MVC capabilities (also using Spring Security 3.2.0.M1 that allows the SecurityContext to be successfully fetched from an Async operation).

    Here is an example of my security configuration:

    Code:
        <security:http create-session="stateless" entry-point-ref="customAuthenticationEntryPoint" pattern="/custom/**" use-expressions="true">
            <security:access-denied-handler ref="accessDeniedHandler"/>
            <security:anonymous enabled="false"/>
            <security:custom-filter ref="customAuthenticationFilter" after="SECURITY_CONTEXT_FILTER"/>
            <security:intercept-url pattern="/custom/**" access="hasAuthority('PERM_A')  and isAuthenticated()"/>
        </security:http>
    Here is the configuration of the accessDeniedHandler:

    Code:
        <bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
            <property name="errorPage" value="/security/shoo"/>
        </bean>
    Stepping through the code, I successfully authenticate a user and give them PERM_A and place that user within the SecurityContext. This user is checked and isAuthenticted == true in the AbstractSecurityInterceptor.

    For testing, this user does not have the priviledge to invoke this controller method:

    Code:
    @PreAuthorize("hasAuthority('PERM_B')")
    @RequestMapping("/doSomething")
    public Callable<CustomResponse> doSomething() {
    }
    When the user does authenticate, then within the same request tries to /doSomething, I get an appropriate accessDeniedException. However, the access-denied-handler is *not* being invoked.

    Any suggestions please?

    -=david=-
Working...
X