Announcement Announcement Module
No announcement yet.
Custom access denied page breaks security restrictions! Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom access denied page breaks security restrictions!

    I have been experimenting with a few things for Spring Security and there is something that either:
    1. Is a pretty serious bug
    2. Is something that is meant to behave differently than the way I'm thinking of
    3. Is something I have configured wrong

    I'm trying to use a custom access denied page for forwarding users to when they attempt to access a page they don't have access to. I can get it to throw the '403' error which is displayed with the default Tomcat error page but when I attempt to set the custom error page properties it turns out that suddenly users have access to a page they shouldn't have access to! It just seems odd to me that the custom error page configuration seems to break the enforcement of the actual security restrictions!

    My Environment:
    - SpringSource Tool Suite 2.5.1
    - tc Server Developer 2.1.0 (packaged with STS)
    - Spring Security 3.0.4
    - Spring Framework 3.0.5

    First how about what does work as I would expect before I add the custom access denied page:

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi=""
    	xmlns="" xmlns:web=""
    	id="WebApp_ID" version="2.5">
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns=""
    	<sec:http auto-config="true" >
    		<sec:intercept-url pattern="/login.jsp" filters="none"/>
    		<sec:intercept-url pattern="/accessDenied.jsp" filters="none"/>
    		<sec:intercept-url pattern="/images/**" filters="none"/>
    		<sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
    		<sec:intercept-url pattern="/**" access="ROLE_USER" />
    		<sec:form-login login-page="/login.jsp"
    			authentication-failure-url="/login.jsp?login_error" />
    		<sec:logout logout-success-url="/" logout-url="/logout" />
    				<sec:user name="jsmith"
    					authorities="ROLE_USER, ROLE_ADMIN" password="john" />
    				<sec:user name="jdoe" authorities="ROLE_USER"
    					password="jane" />
    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "">
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
    <%@ taglib prefix="c" uri=""%>
    <title>Insert title here</title>
    <img src="./images/banner.jpg"><br>
    <c:if test="${param.login_error != null}">
    	<div style="color: red">The system could not log you in:. Please
    	try again.
    	<p>Reason: <c:out value="${SPRING_SECURITY_LAST_EXCEPTION.message}" />.
    <form action="j_spring_security_check" method="POST">User Name: <input
    	type="text" name="j_username"><br />
    Password: <input type="password" name="j_password"><br />
    <input type="submit" value="LogIn"><br />
    So according to this the entire application is restricted to 'ROLE_USER' and things in the '/admin/**' path are restricted to 'ROLE_ADMIN'. When I test this (which above has no custom error page set) it behaves as expected and the 'jsmith' user can access an '/admin/admin.jsp' file but the user 'jdoe' attempting to access the same page will get the generic Tomcat 'HTTP Status 403 - Access is denied' error page.

    So now I want this to redirect to a custom error page. I was looking at a few ways to do this with the Spring Security configuration.

    <sec:http auto-config="true"
    	<sec:http auto-config="true">
                                ... same code as before
                                           error-page="/accessDenied.jsp" />

    BOTH of the above ways I tried to do this:
    - Did prompt me for login information so it knew the application was secure
    - Displayed the '/admin/admin.jsp' page when logging in as the 'jdoe' user! (This clearly violates the security restrictions)
    - Did display the '/accessDenied.jsp' page if I submitted a direct request for it (so it wasn't giving a 404 or something for the access denied page)

    I was able to get this to work by reverting to the previous configuration which had no custom access denied page in the Spring Security configuration and simply registered a '403' error code error page in the web.xml. My understanding though of the 'access-denied-page' attribute of the <sec:http> tag and the <sec:access-denied-handler> tag though is you should be able to configure this in the Spring configuration.

    It would be one thing if it simply didn't work and gave me some other kind of error but suddenly violating the security restrictions that had worked previously seems to me like a serious bug! Hopefully it is the case of me having something setup wrong or simply not understanding the intended behavior of these settings.

    I will see if I can remove some of the unneeded JARs for this error from my WAR and simplify it so it just demonstrates this error. If I can I will post a WAR file for someone else to verify if this is broken like I think it is.


  • #2
    Example project to demonstrate the problem

    Unfortunately I can't upload a full WAR for the problem because of the size of the JAR libraries.

    Attached is a zip file which hopefully could be imported as an existing project into STS to use Maven to build the WAR.


    • #3
      Other related info

      I also found a few other resources that might be related to this in trying to investigate:

      This bug report seems to mention the kind of error that I am seeing almost exactly. Unfortunately it was rejected for lack of "evidence". Perhaps my description can provide more evidence/repeatability for this:

      I agree that I had tried this with Spring Security 3.0.4 and not the latest 3.0.5 but I don't see many changes for 3.0.5 that seem to affect the areas that might be involved.

      This forum post describes a problem that had seemed to be similar but because of the presence of a URL rewriting filter it was suggested at the time that was the problem:

      In particular in this forum post I thought it interesting that it described that things worked differently when an <access-denied-handler error-page=".."> tag was used.

      I wanted to see if I could get some thoughts on the forum here before opening a bug report.



      • #4
        Please try with the latest version. 3.0.5 includes fixes related to request forwarding which may well be the cause of the problem.


        • #5
          3.0.5 in SS EBR anytime soon?

          I would try with 3.0.5 but it is not yet available in the SpringSource Enterprise Bundle Repository. I've been trying to get all of my resources from this repository as a single source since that is suggested in the FAQ of the bundle repository and by other posts by Spring developers about how to get Spring from there.

          Is it just me or is it odd that the latest version of a Spring project is not available in the Spring-maintained repository almost two months after the release of Spring Security 3.0.5?

          Spring Security 2.0.6 was announced 10/27/2010 and added to EBR on 11/12/2010. Spring Security 3.0.4 was announced 11/15/2010 and added to EBR 12/23/2010. Spring Security 3.0.5 was announced only a few days later on 11/18/2010 but is still not in EBR?

          I'll see if I can try with the latest version next week but right now this is lower priority until I get a few other things done. Maybe by next week 3.0.5 will be in EBR

          Last edited by stuart_wildcat; Jan 15th, 2011, 11:47 AM.


          • #6
            I would really recommend that you use Maven Central in preference to EBR. All your dependencies are available from there without having to define any extra repositiories at all.

            You'll find that Spring example projects such as greenhouse are using Maven Central these days (