Announcement Announcement Module
Collapse
No announcement yet.
Access denied handle with global method security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access denied handle with global method security

    I am using the global method security to protect the execution of some methods through the "@secured" annotation.
    I tried both with 2.0.5 and with 3.0.0. The last one has some enhancements on http tag allowing to specify a AccessDeniedHandler. Anyway this is only for http security.
    In both versions I couldn't find a way to intercept the AccessDeniedException that is thrown from global method security. I debugged tons of lines of code and it seems that the ExceptionTranslator Filter is not involved.
    Currently I set a workaround catching the exception in the decision manager and modifing the method letting it to show a AccessDenied page. The workaround is performing well but I think it is only a workaround.
    Did I miss something on security definiton?
    Any hint is appreciated.

  • #2
    ExceptionTranslationFilter definitely should catch this, as with any other AccessDeniedException. What's the behavior you're seeing? Where is the protected method being called from? Is the user already authenticated?

    Comment


    • #3
      This is the scenario.
      The user is autheticated with ROLE_AUTHENTICATED. This role allows the user pratically to see only the home page and the menu.
      When the user clicks on a menuitem a method is fired to open the required window. This method is secured by an annotation.
      A custom voter decide, through info stored on principal, if the user is allowed to open that window or not.
      If the access is granted the window opens, otherwise I need a way to send out a "access denied" page.
      Actually, my workaround catches the exception at access manager level and modify the method signature in order to open a access denied window instead of the asked one.
      What i tried before the workaround is:
      - version 2.0.5 - I used the access denied page of http tag. This didn't work for global method security. The ExceptionTranslatorFilter throws the 403 RC.
      - version 3.0.0 - I used the AccessDeniedHandler. Still this feature is on http tag. Same as above.
      In both cases the ExceptionTranslatorFilter has been invoked, but I couldn't find a way to customize the standard behavior to throw the 403 rc.
      As far as I could understand, the access denied condition is managed only when using web security (http) and not on global method security.
      The only way I see to avoid the workaround - that is very specific to my application - is to define explicitely all the security beans (as in old Acegi) and to customize them as needed. However this is really cumbersome.
      Hope this clarify what's happening.
      By the way, it would be nice to have documented the whole security bean definition that is hidden and defaulted by security tags. This would help to have a deeper understanding of what happens behind the scenes when changing the tags definition.

      Comment


      • #4
        Do you have the <access-denied-handler> element defined with an "error-page" attribute? This attribute is what will override the response with HTTP status 403 with a redirect to the page in this attribute. This should work for either method or standard HTTP access denied stuff.

        Comment


        • #5
          As you mention <access-denied-handler> I suppose you are talking about version 3.0.0.
          I tried the <access-denied-handler> specifying a reference bean that implements AccessDeniedHandler interface. This bean was never been invoked when using global method secuity. I'd prefer the handler way to the error-page one because I have more control.
          Currently I downgraded the application to version 2.0.5 as I don't know the stability grade of 3.0.0. If you want me to make other tests I can make a copy of the application and upgrade it to 3.0.0. Just let me know.
          Regards

          Comment

          Working...
          X