Handling AccessDeniedException in XML

[smarek]

Hi, I'm trying to handle AccessDeniedException in XML configuration.

I do use @Controller with @Secured

Code:

@Controller
@Secured("ROLE_PUBLISHER")
public class ManagerController ...

The problem is, when I'm not authenticated, accessing URLS which uses @RequestMapping under @Secured @Controller returns HTTP 400 (not 403) and simple body:

org.springframework.security.access.AccessDeniedEx ception: Access is denied

And my referenced AccessDeniedHandler doesn't get called, no matter what I try.

I need simple redirect on AccessDeniedException to "/login" relative path

I've scrapped DEBUG log on .security

Code:

2012-06-13 12:48:00,309 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 1 of 10 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 2 of 10 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <HttpSession returned null object for SPRING_SECURITY_CONTEXT>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <No SecurityContext was available from the HttpSession: org.mortbay.jetty.servlet.HashSessionManager$Session:10jdbj7g6r8mx1ouutmu6pblzc@1785236847. A new one will be created.>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 3 of 10 in additional filter chain; firing Filter: 'LogoutFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 4 of 10 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 5 of 10 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 6 of 10 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 7 of 10 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] - <Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: 10jdbj7g6r8mx1ouutmu6pblzc; Granted Authorities: ROLE_ANONYMOUS'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 9 of 10 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.FilterChainProxy] - </ at position 10 of 10 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - <Checking match of request : '/'; against '/login_ok'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - <Checking match of request : '/'; against '/user/**'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - <Checking match of request : '/'; against '/admin/**'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - <Checking match of request : '/'; against '/manager/**'>
2012-06-13 12:48:00,310 DEBUG [org.springframework.security.web.access.intercept.FilterSecurityInterceptor] - <Public object - authentication not attempted>
2012-06-13 12:48:00,311 DEBUG [org.springframework.security.web.FilterChainProxy] - </ reached end of additional filter chain; proceeding with original chain>
2012-06-13 12:48:00,312 DEBUG [org.springframework.beans.factory.support.DefaultListableBeanFactory] - <Returning cached instance of singleton bean 'managerController'>
2012-06-13 12:48:00,312 DEBUG [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] - <Secure object: ReflectiveMethodInvocation: public java.lang.String com.cleevio.elasticdeals.controllers.ManagerController.dashboard(java.util.Map); target is of class [com.cleevio.elasticdeals.controllers.ManagerController]; Attributes: [ROLE_PUBLISHER]>
2012-06-13 12:48:00,312 DEBUG [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] - <Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: RemoteIpAddress: 127.0.0.1; SessionId: 10jdbj7g6r8mx1ouutmu6pblzc; Granted Authorities: ROLE_ANONYMOUS>
2012-06-13 12:48:00,312 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - <Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@6e024d3a, returned: 0>
2012-06-13 12:48:00,312 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - <Voter: org.springframework.security.access.vote.RoleVoter@591c5342, returned: -1>
2012-06-13 12:48:00,313 DEBUG [org.springframework.security.access.vote.AffirmativeBased] - <Voter: org.springframework.security.access.vote.AuthenticatedVoter@529e3fc2, returned: 0>
2012-06-13 12:48:00,315 DEBUG [org.springframework.security.web.access.ExceptionTranslationFilter] - <Chain processed normally>
2012-06-13 12:48:00,316 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] - <SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.>
2012-06-13 12:48:00,316 DEBUG [org.springframework.security.web.context.SecurityContextPersistenceFilter] - <SecurityContextHolder now cleared, as request processing completed>

and this is my HTTP security settings:

Code:

<beans:bean class="com.mycompany.myproject.security.CustomAccessDeniedHandler"
		name="customAccessDeniedHandler" id="customAccessDeniedHandler" />

	<http use-expressions="true">
		<access-denied-handler ref="customAccessDeniedHandler" />
...
	</http>

Note that I cannot put the URL mapping under intercept-url

[Rob Winch]

If you have a HandlerExceptionResolver registered it may be processing the exception for you. Ensure that Spring MVC is allowing the exception to bubble up to Spring Security. Alternatively, the HandlerExceptionResolver could perform the redirect on an AccessDeniedException.