How do I log access denied (403) error ?

[pavelj]

Hi,

when authenticated user tries to access area secured by FilterSecurityInterceptor without having the required role, Acegi generates the "Access denied" error (403). This is fine, I have the application server to catch the error and show the error page. But it would be nice to have the error logged as well.

Is there any way to achieve that? I thought of some similar solution like LoggerListener for authentication failures...

Thanks,
Pavel

[Ben Alex]

You can do it today by subclassing SecurityEnforcementFilter and overriding sendAccessDeniedError(ServletRequest, ServletResponse).

If other people want this feature built into Acegi Security, please speak up and I'll be pleased to add it.

[2devnull]

+1 to include feature

[2devnull]

Regarding this topic. I need a way to be able to externally call a controller so that my error page gets decorated by Sitemesh. Currently, using <error-page> tag in web.xml to trap the 403 returns the error page undecorated. So since that seems to be a Sitemesh bug, I tried this way to subclass the SecurityEnforcementFilter's sendAccessDeniedError method with the following code in it, but I still get the error page undecorated. Is there any way around this?

Code:

protected void sendAccessDeniedError(ServletRequest request, ServletResponse response) throws IOException {
		try {
		request.getRequestDispatcher("/browse/error.htm").forward(request, response);
		} catch (ServletException se) {}
	}

[2devnull]

I guess one way to do it is to forward to a dummy page that has a meta refresh tag that calls your error page. Then the decorators will get applied since the client is making the request.

[Ben Alex]

I've just added to CVS a new package: net.sf.acegisecurity.intercept.event. It contains a variety of events which are published by AbstractSecurityInterceptor. There is also a LoggerListener which outputs the events to Commons Logging. Hopefully this will meet your requirements.