Announcement Announcement Module
No announcement yet.
Process 401/403 differently according to URLs Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Process 401/403 differently according to URLs

    I have three types of URLs to be protected:
    UI - /ui/**
    RESTful Web Service - /ws/rest/**
    SOAP Web Service - /ws/soap/**

    For UI URLs, if a user is not authenticated, I want it to be redirected to login page automatically, if the URL is not authorized to access, it should show a friendly page instead of the default 403 error page.
    It's quite simple, just specify a "login-page" and "access-denied-page" as below:

    <security:http auto-config='true' access-denied-page="/ui/accessDenied.jsp">
    		<security:intercept-url pattern="/ui/test.jsp" access="ROLE_ROLE" />
    		<security:intercept-url pattern="/ws/rest/*" access="ROLE_ADMIN" />
    		<security:intercept-url pattern="/ws/soap/*" access="ROLE_ADMIN" />
    		<security:form-login login-page="/ui/login.jsp"
    		<security:remember-me key="changeit"/>
    Now, the problem is that for the RESTful and SOAP web service, it behaves differently. For an unauthenticated user, a 401 error page should be returned to the client instead of redirecting to a login page, for unauthorized URLs 403 error code should be returned instead of a user friendly "access-denied-page". How can I do that?

    I am using Spring Security 2.0 with name space configuration.

  • #2
    I want to inject my own authenticationEntryPoint (redirect to login page for UI URL, send error 401 for web service URL) and accessDeniedHandler(redirect to 'access-denied-page' for UI URL, send error 403 for web service URL) into
    exceptionTranslationFilter to do that, but it seems that I cannot do it using name space configuration.


    • #3
      I solved half of this issue.
      I think for 401 unauthorized URLs, I can replace the "authenticationEntryPoint" in ExceptionTranslationFilter with name space configuration this way:
      <security:http auto-config='true' 
      <bean id="authenticationEntryPoint" class="my own entry point"/>
      But for 403, I need to replace "accessDeniedHandler", however the name space configuration does not allow replacing it, how can I replace the accessDeniedHandler?


      • #4
        Use the "entry-point-ref" attribute.


        • #5
          Thanks for you reply, I also found this in Spring doc, but for 403, it seems that we can only specify a page, it's not allowed to replace the accessDeniedhandler


          My workaround is specify the access-denied-page to a servlet or struts action which will handle the complexity (redirect to a jsp for UI access, send error code 403 for web service)

          Anyway it would be great if <security:http> can have a new attribute "access-denied-handler-ref" :-)


          • #6
            I submitted an CR for you, pls evaluate it :-)