Access Denied Handler not working

[jrpalla]

I have the following Spring security configuration:
<security:http entry-point-ref="preAuthenticateEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthenticationFilter" />
<security:custom-filter ref="validSessionFilter" position="FIRST" />
<security:intercept-url pattern="/admin.jsp" access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/welcome.jsp" filters="none" />
<security:intercept-url pattern="/invalidSession.jsp" filters="none" />
<security:intercept-url pattern="/illegalAccess.htm" filters="none" />
<security:access-denied-handler error-page="/illegalAccess.htm" />
<security:logout invalidate-session="true" logout-url="/logout.jsp"
logout-success-url="/logged_out.jsp" />
</security:http>

When access issues exist, the custom access denied page is not getting thrown. Instead I see browser specific 403 page. On the console, I see org.springframework.security.access.AccessDeniedEx ception being thrown instead of being handled by the handler.

Am I doing anything wrong here?

[stimpy]

jr

see my thread here http://forum.springsource.org/showth...denied-handler

I suspect you are seeing what I am seeing .

In preauth ...If acesssDenied is thrown but the user is determined to be anonymous ( or if the securityHolder context is null ) then it will rethrow to the authenImpl point ...which in this case rethrows and you get a standard 403 .

I have not yet found a with to deal with this but I am still trying . Its frustrating because in my case ,where preauth is x509 and the users is not anonymous, I can't catch the error properly as the context is cleared by the time I get the the standard 403 error page.

[stimpy]

jr

Just updating ... I have so far been unable to handle access denied better.

in my case (x509 with LDAP authorities) I implemented my own FilterBasedLDAPUserSearch and UserDetailsServices and changed the userNameNotFound exceptions to to accessDenied. However as I explained in the other thread, because the context is cleared the the handleException method of the exception translation filter redirects to the authentication entry point.

I tried to change this behavior ( ie override etc ) but have been unable to do so yet. I am also concerned there may be unintended consequences from removing the isAnonymous check from that method.

[jrpalla]

Thanks for your input. In my case user is not anonymous. When I used my own custom access denied handler, this was fixed.

[stimpy]

jr

glad to hear that you got it fixed.

If possible could you post your fix ? I have been unable to get a fix working .

thanks

[jrpalla]

Here is the Class I wrote:
import java.io.IOException;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.access.AccessDeniedEx ception;
import org.springframework.security.web.access.AccessDeni edHandler;

public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
private String errorPage;

public AccessDeniedHandlerImpl() {
}


/* (non-Javadoc)
* @see org.springframework.security.web.access.AccessDeni edHandler#handle(javax.servlet.http.HttpServletReq uest, javax.servlet.http.HttpServletResponse, org.springframework.security.access.AccessDeniedEx ception)
*/
public void handle(HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException accessDeniedException) throws IOException,
ServletException {

RequestDispatcher rd=request.getRequestDispatcher(errorPage);
rd.forward(request, response);

}




public void setErrorPage(String errorPage) {
this.errorPage = errorPage;
}




public String getErrorPage() {
return errorPage;
}




}

Here is how I configured Spring security:

<security:http entry-point-ref="preAuthenticateEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="j2eePreAuthenticationFilter" />
<security:custom-filter ref="validSessionFilter" position="FIRST" />
<security:intercept-url pattern="/admin.jsp" access="ROLE_SUPERVISOR" />
<security:intercept-url pattern="/welcome.jsp" filters="none" />
<security:intercept-url pattern="/invalidSession.jsp" filters="none" />
<security:intercept-url pattern="/illegalAccess.htm" filters="none" />
<security:intercept-url pattern="/loggedOut.jsp" filters="none" />
<security:access-denied-handler ref="accessDeniedHandler" />
<security:logout invalidate-session="true" logout-url="/logout.jsp"
logout-success-url="/loggedOut.jsp" />
</security:http>

<bean id="accessDeniedHandler"
class="xxx.springauthentication.AccessDeniedHandle rImpl">
<property name="errorPage" value="/illegalAccess.htm" />
</bean>