Results 1 to 5 of 5

Thread: How to handle AccessDeniedException in Spring Security?

  1. Jan 5th, 2012, 07:29 AM #1
    msaleh
    msaleh is offline Junior Member
    Join Date
    Oct 2011
    Posts
    18

    Default How to handle AccessDeniedException in Spring Security?

    i am using spring security 3, and i want whenever the AccessDeniedException is thrown, the user get's redirected to specific page:


    Code:
    org.springframework.security.access.AccessDeniedException: Access is denied
    	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:112)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:177)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
    	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
    	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
    	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
    	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
    	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    	at java.lang.Thread.run(Thread.java:619)
    so i tried to use access-denied-handler
    and here's the handler:


    Code:
    @Service("accessDeniedHandler")
    public class AccessDeniedHandler extends AccessDeniedHandlerImpl {
    
    	Log log = LogFactory.getLog(getClass());
    
    	@Override
    	public void handle(HttpServletRequest request,
    			HttpServletResponse response, AccessDeniedException exception)
    			throws IOException, ServletException {
    		log.info("############### Access Denied Handler!");
    		setErrorPage("/accessDenied");
    		super.handle(request, response, exception);
    	}
    
    }
    - security.xml:


    Code:
            <http use-expressions="true"  auto-config="true" >
    	     	  
    	<session-management session-fixation-protection="none"/>
    	    	    	    
            <remember-me  token-validity-seconds="1209600"/>
            
            <intercept-url pattern="/accessDenied" access="permitAll"/>
            
            <intercept-url pattern="/login" access="permitAll"/>
            <intercept-url pattern="/j_spring_security_check" access="permitAll" />
                   
            <intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll"/>
    		<intercept-url pattern="/xmlhttp/**" access="permitAll" />
    		<intercept-url pattern="/resources/**" access="permitAll" />
    		
    		<intercept-url pattern="**/faces/javax.faces.resource/**" access="permitAll"/>
    		<intercept-url pattern="**/xmlhttp/**" access="permitAll" />
    		<intercept-url pattern="**/resources/**" access="permitAll" />
    		
            
            <intercept-url pattern="/**" access="isAuthenticated()" />
    
    	<access-denied-handler ref="accessDeniedHandler" />
 
        <!-- tried the error page too with no luck -->

        <!-- 
        <access-denied-handler error-page="/accessDenied" />
        -->
       
    			
    	</http>
    but the issue: is that when the exception is thrown, it doesn't enter the accessDeniedHandler class, please advise.
    Last edited by msaleh; Jan 5th, 2012 at 10:08 AM.
    Reply With Quote Reply With Quote
  2. Jan 5th, 2012, 09:08 AM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    How did you configure Spring Security to use the AccessDeniedHandler? You will want to ensure to specify the <access-denied-handler ref="accessDeniedHandler"/>. See the Appendix for details. Can you post your Spring Security configuration? Another thing to note is that AccessDeniedHandler is probably not a @Service it is probably an @Component. Last be cautious about setting member variables inside methods (like setErrorPage) as this will likely lead to race conditions.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  3. Jan 5th, 2012, 10:09 AM #3
    msaleh
    msaleh is offline Junior Member
    Join Date
    Oct 2011
    Posts
    18

    Default

    i updated the question with xml configuration i am using.
    Reply With Quote Reply With Quote
  4. Jan 5th, 2012, 10:41 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    Can you include your entire Spring Security configuration? You stated that it never never enters your AccessDeniedHandler, what happens instead? For example, when I get AccessDeniedException I see an error page in the browser that says ".."
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  5. Jan 5th, 2012, 01:27 PM #5
    msaleh
    msaleh is offline Junior Member
    Join Date
    Oct 2011
    Posts
    18

    Default

    just the exception is thrown in console, no other action.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules