I'm attempting to get the AccessDeniedHandler workings and I have read several other posts, including issue SEC-1608, of which I've tried various solutions and keep hitting a dead end.
Security setup I've got:
in the http element of security setup:
<beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<beans:property name="errorPage" value="/accessDenied"/>
As you can see, I'm trying to forward to http://localhost:8080/app/accessDenied. I can navigate to this url just fine manually, see the content I'm expecting, everybody is happy. I did implement my own AccessDeniedHandler implementation (not shown above) and put some logging in there to ensure that the security was processing through the handler. My own impl was the same as AccessDeniedHandlerImpl that comes with Spring just with some added logging and when I access an unauthorized url, I can see the logging messages but I end up with a 404, /app/accessDenied.
From what I can see, the security filtering mech is working but the forward isn't.
I've tried security settings on the accessDenied resource as 'none', isAnonymous and permitAll - none seemed to make a difference.
This app is using tiles and Spring security 3.0.4. I saw a post regarding a bug in 3.0.4 version (SEC-1608) which suggested using the anonymous settings but like I said, that didn't help.
I would prefer to get Spring security to work and not use the error page setup in web.xml.
Thoughts? Ideas? If there's another thread out there which address this, my pre-apologies for beating a dead horse.