accessDenied page does not show.

**phe** · Feb 23rd, 2011, 06:48 AM

Hi
I am trying to secure my application with Spring security. I have a login controller thats load my login page. Logging in works as expected but why does not my spring "/accessDenied.htm" show up when I enter the wrong password? I have tried making a
a controller just for that one, looks exactly like the login controller. I have also tried

<intercept-url pattern="/accessDenied.htm.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

nut i does not seem to work. Thank you for time.

Code:

<?xml version="1.0" encoding="UTF-8"?>

<!-- - Sample namespace-based configuration - - $Id: applicationContext-security.xml 
	3019 2008-05-01 17:51:48Z luke_t $ -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

	<global-method-security secured-annotations="enabled">
	</global-method-security>

	<http auto-config="true" access-denied-page="/accessDenied.htm">
		<intercept-url pattern="/login.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/*.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/**" access="ROLE_USER" />	
		<form-login login-page='/login.htm'/> 	 
	</http>
	


	<!-- Usernames/Passwords -->
	<authentication-manager>

		<authentication-provider>
			<user-service>
				<user name="tormod" password="123" authorities="ROLE_USER, ROLE_ADMIN" />
				<user name="peter" password="123" authorities="ROLE_USER" />
				<user name="bob" password="bobspassword" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>




</beans:beans>

Code:

package no.capra.profileweb;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;



@Controller
@RequestMapping(value = "/login")
public class LoginController {

	@RequestMapping(method=RequestMethod.GET)
	public ModelAndView show( ) {
		ModelAndView login = new ModelAndView("login");
		return login;
	}
	

}

Edit: Does it have anything to do with my filters?

Code:

<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

**Luke Taylor** · Feb 23rd, 2011, 07:37 AM

The AccessDeniedhandler isn't intended to deal with failed authentication. See the documentation.

Normal behaviour on a failed login would be to return the user to the login page. If you want to do something else, check the options for configuring form-login, in particular the authentication-failure-url (or authentication-failure-handler-ref if you want to plug in more sophisticated logic).

**phe** · Feb 23rd, 2011, 07:57 AM

Originally Posted by Luke Taylor

The AccessDeniedhandler isn't intended to deal with failed authentication. See the documentation.

Normal behaviour on a failed login would be to return the user to the login page. If you want to do something else, check the options for configuring form-login, in particular the authentication-failure-url (or authentication-failure-handler-ref if you want to plug in more sophisticated logic).

Thank you very much! I changed it to this and now that works.

Code:

<http auto-config="true">
		<intercept-url pattern="/login.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/accessDenied.htm*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/*.png" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/*.css" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/**" access="ROLE_USER" />
		<form-login login-page='/login.htm' default-target-url='/persons.htm' authentication-failure-url="/accessDenied.htm"/>
	</http>

This was what made i work I think. From the documentation

Code:

default-target-url:
Maps to the defaultTargetUrl property of UsernamePasswordAuthenticationFilter.
If not set, the default value is "/".....

But why couldn't I set the access-denied-page="/accessDenied.htm" ? Still dont understand.

Code:

	<filter>
		<filter-name>springSecurityFilterChain2</filter-name>
		<filter-class>org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain2</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

**Rob Winch** · Feb 23rd, 2011, 10:28 PM

Access denied occurs when a user is already authenticated and access a URL they do not have access to (i.e. ROLE_USER tries to access a ROLE_ADMIN url).

**phe** · Feb 24th, 2011, 01:26 AM

Originally Posted by rwinch

Access denied occurs when a user is already authenticated and access a URL they do not have access to (i.e. ROLE_USER tries to access a ROLE_ADMIN url).

Thanks! That explains it.

Thread: accessDenied page does not show.

Thread Tools

Display

accessDenied page does not show.

Posting Permissions