AccessDeniedException customised error page

[brian11@fastmail.fm]

Hi,

I have a small problem which is bugging me when using Acegi. Whenever a user attempts to access a page which
he/she is not authorised an AccessDeniedException is being thrown. I understand that using SecurityEnforcementFilter
it will catches the exception and set response status to 403 SC_FORBIDDEN.

Problem: I set a 403 error-page handling in web.xml and expect my customised 403 error page to be displayed whenever
an unauthorised user try to access a page. However, it never display my customised 403 error page but it display
the webserver default 403 error page.

I'm using Spring MVC and Tomcat 5.0.19 and Spring 1.2.2.

Note: this is quite similar to
http://forum.springframework.org/showthread.php?t=14670 where
the user uses tapestry and is having similar problem.

Question:
1. Is this a common problem?
2. Is there anyway for me to display my customised page without any code modification?

Thanks in advanced.

[Ben Alex]

I cannot reproduce this problem. I just checked into CVS a modification to Contacts Sample Filter web.xml which uses a 403 successfully with a custom error page. So, it should "just work" with something like:

Code:

	<error-page>
		<error-code>403</error-code>
		<location>/error.html</location>
	</error-page>

[smcneill]

I have also come across the same problem. I'm working with a very simple POC app. I'm just hitting JSPs - haven't even introduced an MVC.

I'm using Tomcat 5.0.28. When I try to hit the error page directly, I'm able (this validates that the error page can be accessed anonymously). Also, I tried the same authorization failure test in IE 6.0 and Firefox 1.0.7. Firefox behaves perfectly (I get my error page); IE shows the IE 403(Forbidden) page.

[igotmilk]

It's an IE bug. The 403 error page must be at least 512 bytes. What I did to get around it was add a html comment with a few hundred bytes.

<!-- aaaaaaaa ... zzzzzzzzz -->