Handling AccessDenied with Method Level Security

[sword101]

i have a method secured with spring security as follows:

Code:

@PreAuthorize("hasRole('add_user')")
    public void addUser(User user) ;

and if a user with no enoguh permissions is trying to invoke it
, an accessDenied exception is thrown:

Code:

 org.springframework.security.access.AccessDeniedException: Access is denied

this is what's expected, but the question is, why the defined access-denied-handler

in security.xml configuration file is not working :

Code:

<access-denied-handler error-page="accessDenied"/>

shouldn't the user gets redirected automatically to access denied page when this exception is thrown, or i have to define such behavior explicitly in code ?

please advise.

UPDATE: security configuration:

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"  
    	xmlns:beans="http://www.springframework.org/schema/beans" 
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:util="http://www.springframework.org/schema/util"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
              http://www.springframework.org/schema/util
              http://www.springframework.org/schema/util/spring-util-3.1.xsd">
    
        
            <!-- Enable @pre, @post spring security method level annotations -->
    	    <global-method-security pre-post-annotations="enabled" />  	
    	    
    
    	    <http use-expressions="true"  auto-config="true" access-denied-page="/accessDenied">
    	     	  
    	 <session-management session-fixation-protection="none"/>
    	    	    	    
            <remember-me  token-validity-seconds="1209600"/>
            
    
            <intercept-url pattern="/accessDenied" access="permitAll"/>        
            <intercept-url pattern="/login" access="permitAll"/>
            <intercept-url pattern="/j_spring_security_check" access="permitAll" />
            
            
            <intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll" />
    		<intercept-url pattern="/xmlhttp/**" access="permitAll" />
    		<intercept-url pattern="/resources/**" access="permitAll" />		
    		<intercept-url pattern="/scripts/**" access="permitAll" />
    		<intercept-url pattern="/images/**" access="permitAll" />
    		<intercept-url pattern="/css/**" access="permitAll" />
    		
            
            <!-- All pages requires authentication (not anonymous user) -->
            
            <intercept-url pattern="/**" access="isAuthenticated()" />
            <intercept-url pattern="/faces/**" access="isAuthenticated()" />
            
    			    
    	    <form-login default-target-url="/"	 
    	    always-use-default-target="true"   			
    			login-processing-url="/j_spring_security_check"			
    			login-page="/login"
    			authentication-failure-url="/login?login_error=1"																
    		/>
    					
    		<logout logout-url="/logout" logout-success-url="/login" />		
    	</http>
    	
    	<authentication-manager alias="authenticationManager">		 	
    	  <authentication-provider user-service-ref="userDetailsServiceImpl"/>    
    	</authentication-manager>
    	
    	
    	</beans:beans>

[stimpy]

Sword

When you say not working what do you mean ? What DOES happen ? a 403 page or ?

I use the configuration you posted and it does work ..however Spring's use of accessDeneid has a few conditions that can be difficult.

[sword101]

i mean when accessDenied exception occur (due to user don't have permission on a service method), the exception is thrown and user is not redirected to the access denied page.

[stimpy]

OK

in my case the access denied config is its own line not a part of the http element

Code:

<access-denied-handler errorPage="/accessDenied" />

When you debug do you see a request for that page ? or not at all ?

its important to know that accessDenied acts different depending on what exactly is happening .

So for example if you user had insufficient AUTHORITIES then you will likely get to the accessDenied page, however if your user is otherwise unauthenticated because your user details service cannot find the user then you will not get accessDenied.

You might try throwing a break point in the o.s.s.web.access.ExceptionTranslationFilter handleException method where you can see the accessDenied filter being called. It is not called in all cases of the accessDenied exception.

[sword101]

following are debugs before AccessDeniedException is thrown:

Code:

 DEBUG [http-bio-8080-exec-1] (PrePostAnnotationSecurityMetadataSource.java:93) - @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('add_user')) found on specific method: public void com.myapp.service.impl.UserServiceImpl.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException
    DEBUG [http-bio-8080-exec-1] (DelegatingMethodSecurityMetadataSource.java:66) - Adding security method [CacheKey[com.myapp.service.impl.UserServiceImpl; public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException]] with attributes [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
    DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:191) - Secure object: ReflectiveMethodInvocation: public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException; target is of class [com.myapp.service.impl.UserServiceImpl]; Attributes: [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
    DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c650d918: Principal: org.springframework.security.core.userdetails.User@db344023: Username: user@mycomp.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: access_viewUsers; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E6BBAC0CD4499B1455227DC6035CC882; Granted Authorities: access_viewUsers
    DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@1d1e082e, returned: -1
    DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.RoleVoter@1eab12f1, returned: 0
    DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.AuthenticatedVoter@71689bf1, returned: 0

please advise.