Home/ Questions/Q 3491776
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T11:40:40+00:00

I’m facing a little issue with Spring Security 3.0.x (3.0.2 in particular at the

  • 0

I’m facing a little issue with Spring Security 3.0.x (3.0.2 in particular at the moment). The whole application I’m working on is working perfectly except when someone who doesn’t have the authorities tries to log on.

When it occurs, the users is redirected to the “welcome” page, since his username/password are valid, and he receive a cute white page with this : “Error 403: Access is denied”

So, I’ve been looking on the net trying to find how this behavior can be handled. So far I’ve come to the conclusion, please correct me if I’m wrong, that it is managed by the ExceptionTranslationFilter. But I don’t quite understand how to make any good use of this information.

I’ve tryied to edit my SecurityContext.xml to add a access-denied-handler tag to my http tag, but it doesn’t work. Do I need to add more than this tag to make it work? Is there any other possibilities to make my application more user-friendly?

Edit : I would like to redirect to a page, let’s says 403.html, for example.

Sincerly,
Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve found how to do this. By implementing the AccessDeniedHandler interface and the corresponding handle method I can, easily, control the way the Http 403 error is handled.

    This way, you can add various items in the session and then intercept them on your jsp.

    The xml file then looks like this :

    <sec:http>
    <!-- lots of urls here -->
    <sec:access-denied-handler ref="accessDeniedHandler" />
    <sec:anonymous/>
</sec:http>

<bean id="accessDeniedHandler" class="foo.bar.CustomAccessDeniedHandler">
    <property name="accessDeniedUrl" value="403.html" />
</bean>

    The java class :

    package foo.bar;
public class CustomAccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler {
private String accessDeniedUrl;

    public CustomAccessDeniedHandler() {
    }

    public CustomAccessDeniedHandler(String accessDeniedUrl) {
        this.accessDeniedUrl = accessDeniedUrl;
    }

    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        response.sendRedirect(accessDeniedUrl);
        request.getSession().setAttribute("CustomSessionAttribute", "value here");
    }

    public String getAccessDeniedUrl() {
        return accessDeniedUrl;
    }

    public void setAccessDeniedUrl(String accessDeniedUrl) {
        this.accessDeniedUrl = accessDeniedUrl;
    }
}

    And a jsp example : 

    <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <c:if test="${!empty CustomSessionAttribute}">
    <br/>
    ACCESS IS DENIED
    <br/>
 </c:if>
<!-- other stuff down here -->
    • 0