Announcement Announcement Module
No announcement yet.
@PreAuthorize doesn't trigger CAS login redirection Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorize doesn't trigger CAS login redirection

    If I have a page who's access is defined in the security.xml

    <security:intercept-url pattern="\A/map*" access="ROLE_ADMIN,ROLE_ALPHA" requires-channel="http"/>
    and hit that page when there's no valid CAS token, it redirects me to my cas login page.
    But if I have a method in my controller like this:

    	public String mapTest(){
    		return "/test/map";
    the exception of being not authorized is still logged, but it doesn't trigger the redirect to the CAS login page. Not a super big deal, I can move that rule to the xml, but is this a known issue?

  • #2
    If you have a question and a stacktrace, it is usually a good idea to post the full stacktrace (it helps for others to troubleshoot your problem). When posting a stack or code please be sure to use code tags.

    My guess is that you have added something in Spring MVC that is catching the exception instead of letting it propagate to Spring Security. You might read through the MVC Handling Exceptions


    • #3
      i'm no stranger to stack traces, it wasn't very illuminating here.

      you're absolutely right, when restricting access based on the annotation, the exception was being caught in a global access denied exception handler that i put in my generic base controller.

      Is there a recommended workaround for this, or is it suggested to not use the preauthorize annotation in conjunction with CAS


      • #4
        I can think of a few options. The easiest would be to register a handler that ignores Spring Security Exceptions (i.e. lets them propagate up). An alternative would be to have Spring MVC use the AuthenticationEntryPoint to send the user to the login page. However, this is likely to be a lot more work and you might forget to do other important things (i.e. save the exception). In short, I would have Spring MVC ignore Spring Security Exceptions.

        PS: I requested the stack trace because it may help me (I don't know until I see it). It may not provide much information to you since you are sitting there performing actions, able to debug the code, etc. But it provides a lot of information in a very concise way to someone who doesn't have access to the code/configuration. In short, the stacktrace is to help me (or others) help you.


        • #5
          great, thanks for the pointer!