Geek Answers Handbook

AccessDenied Handling with the Level Security Method

I have a spring protected method as follows:

@PreAuthorize("hasRole('add_user')")
public void addUser(User user) ;

and if a user who does not have the enoguh privilege tries to call it, an accessDenied exception is thrown:

org.springframework.security.access.AccessDeniedException: Access is denied

This is what was expected, but the question is why a certain handler with access restrictions

in the security.xml configuration file does not work :

<access-denied-handler error-page="accessDenied"/>

I mean, it does not work when a user with insufficient permission tries to click the addUser button, which will call the service addUser (which is accessible only to the user, has that permission), an AccessDenied Exception is thrown and that the desired behavior, but the user is not redirected to an exception access as specified in xml.

?

.

Spring Security 3.0.5 JSF 2.1 ICEFaces 2

UPDATE: applicationSecurity.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"  
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
          http://www.springframework.org/schema/util
          http://www.springframework.org/schema/util/spring-util-3.1.xsd">


        <!-- Enable @pre, @post spring security method level annotations -->
        <global-method-security pre-post-annotations="enabled" />   


        <http use-expressions="true"  auto-config="true" access-denied-page="/accessDenied">

     <session-management session-fixation-protection="none"/>

        <remember-me  token-validity-seconds="1209600"/>


        <intercept-url pattern="/accessDenied" access="permitAll"/>        
        <intercept-url pattern="/login" access="permitAll"/>
        <intercept-url pattern="/j_spring_security_check" access="permitAll" />


        <intercept-url pattern="/faces/javax.faces.resource/**" access="permitAll" />
        <intercept-url pattern="/xmlhttp/**" access="permitAll" />
        <intercept-url pattern="/resources/**" access="permitAll" />        
        <intercept-url pattern="/scripts/**" access="permitAll" />
        <intercept-url pattern="/images/**" access="permitAll" />
        <intercept-url pattern="/css/**" access="permitAll" />


        <!-- All pages requires authentication (not anonymous user) -->

        <intercept-url pattern="/**" access="isAuthenticated()" />
        <intercept-url pattern="/faces/**" access="isAuthenticated()" />


        <form-login default-target-url="/"   
        always-use-default-target="true"            
            login-processing-url="/j_spring_security_check"         
            login-page="/login"
            authentication-failure-url="/login?login_error=1"                                                               
        />

        <logout logout-url="/logout" logout-success-url="/login" />     
    </http>

    <authentication-manager alias="authenticationManager">          
      <authentication-provider user-service-ref="userDetailsServiceImpl"/>    
    </authentication-manager>


    </beans:beans>

2: :

DEBUG [http-bio-8080-exec-1] (PrePostAnnotationSecurityMetadataSource.java:93) - @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('add_user')) found on specific method: public void com.myapp.service.impl.UserServiceImpl.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException
DEBUG [http-bio-8080-exec-1] (DelegatingMethodSecurityMetadataSource.java:66) - Adding security method [CacheKey[com.myapp.service.impl.UserServiceImpl; public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException]] with attributes [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:191) - Secure object: ReflectiveMethodInvocation: public abstract void com.myapp.service.UserService.addUser(com.myapp.domain.User) throws java.lang.Exception,org.springframework.security.access.AccessDeniedException; target is of class [com.myapp.service.impl.UserServiceImpl]; Attributes: [[authorize: 'hasRole('add_user')', filter: 'null', filterTarget: 'null']]
DEBUG [http-bio-8080-exec-1] (AbstractSecurityInterceptor.java:292) - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@c650d918: Principal: org.springframework.security.core.userdetails.User@db344023: Username: user@mycomp.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: access_viewUsers; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffde5d4: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E6BBAC0CD4499B1455227DC6035CC882; Granted Authorities: access_viewUsers
DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@1d1e082e, returned: -1
DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.RoleVoter@1eab12f1, returned: 0
DEBUG [http-bio-8080-exec-1] (AffirmativeBased.java:53) - Voter: org.springframework.security.access.vote.AuthenticatedVoter@71689bf1, returned: 0
+5
3

spring Security, access-denied-page spring 3.0 .

:

  • , spring AccessDeniedHandlerImpl.
  • setErrorPage, ,
  • - , - , , , . , , ..

  • super.handle(_request, _response, _exception); . spring , β„– 2 .

    public class AccessDeniedHandlerApp extends AccessDeniedHandlerImpl {
    private static Logger logger = Logger.getLogger(AccessDeniedHandlerApp.class);

    private static final String LOG_TEMPLATE = "AccessDeniedHandlerApp:  User attempted to access a resource for which they do not have permission.  User %s attempted to access %s";

     @Override
     public void handle(HttpServletRequest _request, HttpServletResponse _response, AccessDeniedException _exception) throws IOException, ServletException {
         setErrorPage("/securityAccessDenied");  // this is a standard Spring MVC Controller

         // any time a user tries to access a part of the application that they do not have rights to lock their account
         <custom code to lock the account>
         super.handle(_request, _response, _exception);
}

    }

XML: AccessDeniedHandlerApp 'AccessDeniedHandlerImpl`

<http auto-config='true'>
    <intercept-url pattern="/views/**" access="ROLE_USER" />
    <form-login login-page="/Login.jsp" authentication-success-handler-ref="loginSuccessFilter"
                authentication-failure-handler-ref="loginFailureFilter" />
    <logout logout-success-url="/home" />
    <access-denied-handler ref="customAccessDeniedHandler"/>
</http>

<beans:bean id="customAccessDeniedHandler" class="org.demo.security.AccessDeniedHandlerApp"/>

- - . , :

@Controller
public class AccessDeniedController {
    private static Logger logger = Logger.getLogger(AccessDeniedController.class);

    @RequestMapping(value = "/securityAccessDenied")
    public String processAccessDeniedException(){
        logger.info("Access Denied Handler");
        return "redirect:/securityAccessDeniedView";
    }

    @RequestMapping(value = "/securityAccessDeniedView")
    public String displayAccessDeniedView(){
        logger.info("Access Denied View");
        return "/SecurityAccessDenied";
    }

, , , - , .   }

+3

, . , . , 2+ , , , - .

, SimpleMappingExceptionResolver . , , ExceptionTranslationFilter, access-denied-handler.

. Spring , .

+1

Spring , . , .

, , Spring Security ( ), .

Since you have a rule that checks "isAuthenticated ()" in the rules, you will not be redirected to the access denied page, but to the login page.

Hope this helps.

0
source

More articles:


All Articles