accessDenied page does not show.

Hi
I am trying to secure my application with Spring security. I have a login controller thats load my login page. Logging in works as expected but why does not my spring "/accessDenied.htm" show up when I enter the wrong password? I have tried making a
a controller just for that one, looks exactly like the login controller. I have also tried

<intercept-url pattern="/accessDenied.htm.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

nut i does not seem to work. Thank you for time.

Code:

---

<?xml version="1.0" encoding="UTF-8"?>

<!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml
        3019 2008-05-01 17:51:48Z luke_t $ -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

        <global-method-security secured-annotations="enabled">
        </global-method-security>

        <http auto-config="true" access-denied-page="/accessDenied.htm">
                <intercept-url pattern="/login.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/*.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/**" access="ROLE_USER" />       
                <form-login login-page='/login.htm'/>         
        </http>
       


        <!-- Usernames/Passwords -->
        <authentication-manager>

                <authentication-provider>
                        <user-service>
                                <user name="tormod" password="123" authorities="ROLE_USER, ROLE_ADMIN" />
                                <user name="peter" password="123" authorities="ROLE_USER" />
                                <user name="bob" password="bobspassword" authorities="ROLE_USER" />
                        </user-service>
                </authentication-provider>
        </authentication-manager>




</beans:beans>

---

Code:

---

package no.capra.profileweb;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;



@Controller
@RequestMapping(value = "/login")
public class LoginController {

        @RequestMapping(method=RequestMethod.GET)
        public ModelAndView show( ) {
                ModelAndView login = new ModelAndView("login");
                return login;
        }
       

}

---

Edit: Does it have anything to do with my filters?

Code:

---

<filter>
                <filter-name>springSecurityFilterChain</filter-name>
                <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
        <filter-mapping>
                <filter-name>springSecurityFilterChain</filter-name>
                <url-pattern>/*</url-pattern>
        </filter-mapping>

---

The AccessDeniedhandler isn't intended to deal with failed authentication. See the documentation.

Normal behaviour on a failed login would be to return the user to the login page. If you want to do something else, check the options for configuring form-login, in particular the authentication-failure-url (or authentication-failure-handler-ref if you want to plug in more sophisticated logic).

Quote:

---

Originally Posted by Luke Taylor

The AccessDeniedhandler isn't intended to deal with failed authentication. See the documentation.

Normal behaviour on a failed login would be to return the user to the login page. If you want to do something else, check the options for configuring form-login, in particular the authentication-failure-url (or authentication-failure-handler-ref if you want to plug in more sophisticated logic).

---

Thank you very much! I changed it to this and now that works.

Code:

---

<http auto-config="true">
                <intercept-url pattern="/login.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/accessDenied.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/*.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
                <intercept-url pattern="/**" access="ROLE_USER" />
                <form-login login-page='/login.htm' default-target-url='/persons.htm' authentication-failure-url="/accessDenied.htm"/>
        </http>

---

This was what made i work I think. From the documentation

Code:

---

default-target-url:
Maps to the defaultTargetUrl property of UsernamePasswordAuthenticationFilter.
If not set, the default value is "/".....

---

But why couldn't I set the access-denied-page="/accessDenied.htm" ? Still dont understand.

Code:

---

        <filter>
                <filter-name>springSecurityFilterChain2</filter-name>
                <filter-class>org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter</filter-class>
        </filter>
        <filter-mapping>
                <filter-name>springSecurityFilterChain2</filter-name>
                <url-pattern>/*</url-pattern>
        </filter-mapping>

---

Access denied occurs when a user is already authenticated and access a URL they do not have access to (i.e. ROLE_USER tries to access a ROLE_ADMIN url).

Quote:

---

Originally Posted by rwinch

Access denied occurs when a user is already authenticated and access a URL they do not have access to (i.e. ROLE_USER tries to access a ROLE_ADMIN url).

---

Thanks! That explains it.