Aug 31st, 2011, 05:10 PM
Redirect an authenticated user without any roles
I have a Grails application that uses Spring Security Core & Spring Security CAS to authenticate against a university-wide CAS server and a authorization scheme driven by a local database. This means that anyone on the university can authenticate, but only certain users are given the authorization to perform actions in the application. Currently, if a university member logs into the application (via the university CAS server), but does not have a role in the application, they are redirected to the original non-CAS "database-driven" login page. I was expecting that the application would throw a 403 error, but it quietly handled the issue and redirected to the login page, which led me to believe this could be configured is some way. Could anyone tell me if it is possible to configure how the application (Spring Security Core/CAS) redirects a user when they have no roles defined for the application?
Thanks for the help
Aug 31st, 2011, 10:50 PM
Whenever Spring Security authenticates a CAS service ticket, it uses the UserDetailsService you specified to see if the user even exists. If it does not exist it uses the authenticationFailureHandler on the CasAuthenticationFilter. If the user does exist, but does not have the correct roles it uses the accessDeniedHandler on the ExceptionTranslationFilter (this is true even if you are authenticating in other ways). You can use http@access-denied-page from the Spring Security namespace to set the page you wish to go to if the request is denied.
Tags for this Thread