I have the same exact question as here, except that the answer doesn’t make sense to me.

Spring Security Access Denied Handler – how do you determine what the URL was that the user tried to access?

I tried to follow what they were saying in their answer by creating this:

@RequestMapping("/invalidPermission")
public void invalidPermission(HttpServletRequest request) {
  System.out.println(request.getServletPath());
}

However, the request.getServletPath() will obviously print out /invalidPermission instead of the original url they attempted to access.

Any ideas?

Thanks!

Update: Here’s the working code

<access-denied-handler ref="FooAccessDeniedHandler" />
<bean id="FooAccessDeniedHandler"
     class="my.pkg.AccessDeniedExceptionHandler">
  <property name="errorPage" value="/path-to/custom403.jsp" />
</bean>

package my.pkg.AccessDeniedExceptionHandler;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;

public final class AccessDeniedExceptionHandler implements AccessDeniedHandler {

    private String errorPage;

    @Override
    public void handle(final HttpServletRequest request, final HttpServletResponse response, final AccessDeniedException arg2) throws IOException, ServletException {
        System.out.println(String.format("URL [%s] ", request.getServletPath()));
        response.sendRedirect(getErrorPage());
    }

    public String getErrorPage() {
        return errorPage;
    }

    public void setErrorPage(String errorPage) {
        this.errorPage = errorPage;
    }

}