Announcement Announcement Module
Collapse
No announcement yet.
accessDenied page does not show. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • accessDenied page does not show.

    Hi
    I am trying to secure my application with Spring security. I have a login controller thats load my login page. Logging in works as expected but why does not my spring "/accessDenied.htm" show up when I enter the wrong password? I have tried making a
    a controller just for that one, looks exactly like the login controller. I have also tried

    <intercept-url pattern="/accessDenied.htm.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    nut i does not seem to work. Thank you for time.

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 
    	3019 2008-05-01 17:51:48Z luke_t $ -->
    
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
    
    	<global-method-security secured-annotations="enabled">
    	</global-method-security>
    
    	<http auto-config="true" access-denied-page="/accessDenied.htm">
    		<intercept-url pattern="/login.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<intercept-url pattern="/*.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<intercept-url pattern="/**" access="ROLE_USER" />	
    		<form-login login-page='/login.htm'/> 	 
    	</http>
    	
    
    
    	<!-- Usernames/Passwords -->
    	<authentication-manager>
    
    		<authentication-provider>
    			<user-service>
    				<user name="tormod" password="123" authorities="ROLE_USER, ROLE_ADMIN" />
    				<user name="peter" password="123" authorities="ROLE_USER" />
    				<user name="bob" password="bobspassword" authorities="ROLE_USER" />
    			</user-service>
    		</authentication-provider>
    	</authentication-manager>
    
    
    
    
    </beans:beans>

    Code:
    package no.capra.profileweb;
    
    import org.springframework.stereotype.Controller;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RequestMethod;
    import org.springframework.web.servlet.ModelAndView;
    
    
    
    @Controller
    @RequestMapping(value = "/login")
    public class LoginController {
    
    	@RequestMapping(method=RequestMethod.GET)
    	public ModelAndView show( ) {
    		ModelAndView login = new ModelAndView("login");
    		return login;
    	}
    	
    
    }
    Edit: Does it have anything to do with my filters?
    Code:
    <filter>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    Last edited by phe; Feb 23rd, 2011, 07:51 AM.

  • #2
    The AccessDeniedhandler isn't intended to deal with failed authentication. See the documentation.

    Normal behaviour on a failed login would be to return the user to the login page. If you want to do something else, check the options for configuring form-login, in particular the authentication-failure-url (or authentication-failure-handler-ref if you want to plug in more sophisticated logic).

    Comment


    • #3
      Originally posted by Luke Taylor View Post
      The AccessDeniedhandler isn't intended to deal with failed authentication. See the documentation.

      Normal behaviour on a failed login would be to return the user to the login page. If you want to do something else, check the options for configuring form-login, in particular the authentication-failure-url (or authentication-failure-handler-ref if you want to plug in more sophisticated logic).
      Thank you very much! I changed it to this and now that works.
      Code:
      <http auto-config="true">
      		<intercept-url pattern="/login.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      		<intercept-url pattern="/accessDenied.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      		<intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      		<intercept-url pattern="/*.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      		<intercept-url pattern="/**" access="ROLE_USER" />
      		<form-login login-page='/login.htm' default-target-url='/persons.htm' authentication-failure-url="/accessDenied.htm"/>
      	</http>
      This was what made i work I think. From the documentation

      Code:
      default-target-url:
      Maps to the defaultTargetUrl property of UsernamePasswordAuthenticationFilter.
      If not set, the default value is "/".....
      But why couldn't I set the access-denied-page="/accessDenied.htm" ? Still dont understand.
      Code:
      	<filter>
      		<filter-name>springSecurityFilterChain2</filter-name>
      		<filter-class>org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter</filter-class>
      	</filter>
      	<filter-mapping>
      		<filter-name>springSecurityFilterChain2</filter-name>
      		<url-pattern>/*</url-pattern>
      	</filter-mapping>

      Comment


      • #4
        Access denied occurs when a user is already authenticated and access a URL they do not have access to (i.e. ROLE_USER tries to access a ROLE_ADMIN url).

        Comment


        • #5
          Originally posted by rwinch View Post
          Access denied occurs when a user is already authenticated and access a URL they do not have access to (i.e. ROLE_USER tries to access a ROLE_ADMIN url).
          Thanks! That explains it.

          Comment

          Working...
          X