access-denied-page & url

**ctapobep** · May 20th, 2009, 06:27 AM

I put this at security context

Code:

<http auto-config='true' access-denied-page="/home.action">

When access is denied for user, it redirects him to home page, but the url address in address bar at browser doesn't change for /home.action. What should I do to correct this? The controller, which processes requests to home.action, extends AbstractController.

**davymeers** · May 20th, 2009, 11:25 AM

you could try to add "redirect:" before your url (so it becomes "redirect:/home.action")

**ctapobep** · May 21st, 2009, 06:48 AM

Nope, IllegalArgumentException will throw then. It should begin with "/".

**davymeers** · May 21st, 2009, 07:24 AM

you are right.

The <http>-tag creates a ExceptionTranslationFilter and this filter uses by default a org.springframework.security.ui .AccessDeniedHandlerImpl

The javadoc of that AccessDeniedHandler states:

This implementation sends a 403 (SC_FORBIDDEN) HTTP error code. In addition, if a errorPage is defined, the implementation will perform a request dispatcher "forward" to the specified error page view

So to have the behaviour that you want, you could implement your own AccessDeniedHandler

And then declare an ExceptionTranslationFilter that uses your AccessDeniedHandler.

An inconvenience is that the <http>-tag doesn't let you specify another ExceptionHandlerFilter this means you need to manually create you security configuration (filterchain, etc)

**Luke Taylor** · May 21st, 2009, 07:32 AM

Alternatively just use an MVC controller which handles the URL and does whatever you want.

Support for a custom AccessDeniedHandler is already part of completed roadmap for Spring Security 3.0:

http://jira.springsource.org/browse/SEC-1100

**ctapobep** · May 21st, 2009, 07:45 AM

Thanks for answers!

Thread: access-denied-page & url

Thread Tools

Display

access-denied-page & url

Posting Permissions