Customize http 403 access denied page in Spring Security

In this tutorial we will discuss about the using custom access denied page or 403 page(Customized Access Denied Page in Spring Security) for access control for a specific resource or url.

Access denied page appears when an unauthorized user which has not privileged for viewing a page/section , try to view it using their login & password. For example, when an unprivileged user tries to view an admin section pages , an error page will appear showing the error code 403 and a message "Access is denied". In this section, we will customize the access denied page.

In the below example, we will ensure secure URL access by providing auto generated Login form using Spring Security. User needs to provide correct login credential to view the page. For accessing admin section, you need to provide admin login and password. While for user section, both admin and user login are permitted. If you access with non admin privileges then it redirect to the custom access denied page as follows. 
There are two ways for using custom denied page.
1. access-denied-handler
<security:http auto-config="true">
   <security:intercept-url pattern="/admin*" access="ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:access-denied-handler error-page="/403"/>
</security:http>

Tag- access-denied-handler
Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to  an AccessDeniedHandler instance.


Attribute- error-page
The access denied page that an authenticated user will be redirected to if they request a page which they don't  have the authority to access.


It means the user with authority as ROLE_ADMIN can have access to URL /admin . Also, the URL /index is open for both type of users having authority ROLE_USER or ROLE_ADMIN . If non authorized user try to access /admin, a "http 403 access denied custom page(403.jsp)" will be displayed.

2. AccessDeniedHandler:
In second way, create a class and implements Spring’s AccessDeniedHandler, override handle() method and put your access denied logic inside.

package com.dineshonjava.error.handler;
 
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
 
public class MyAccessDeniedHandler implements AccessDeniedHandler {
 private String accessDeniedUrl;
 
 public MyAccessDeniedHandler() {
 }
 
 public MyAccessDeniedHandler(String accessDeniedUrl) {
  this.accessDeniedUrl = accessDeniedUrl;
 }
 
 @Override
 public void handle(HttpServletRequest request,
  HttpServletResponse response,
  AccessDeniedException accessDeniedException) throws IOException,
  ServletException {
 
    response.sendRedirect(accessDeniedUrl);
    request.getSession().setAttribute("message",
  " Sorry user_dineshonjava You don't have privileges to view this page!!!");
 
 }
 
 public String getAccessDeniedUrl() {
  return accessDeniedUrl;
 }
 
 public void setAccessDeniedUrl(String accessDeniedUrl) {
  this.accessDeniedUrl = accessDeniedUrl;
 }
}
Declares above Spring bean.
<bean id="accessDeniedHandler" class="com.dineshonjava.error.handler.MyAccessDeniedHandler">
 <property name="accessDeniedUrl" value="403" />
  </bean>

<security:http auto-config="true">
   <security:intercept-url pattern="/admin*" access="ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:access-denied-handler ref="accessDeniedHandler"/>
</security:http>
Some helpful example related to this section is given below :
Example related to Spring Security Authorized Access Using Auto generated Login Form, Click Here .
Example related to Spring Security Authorized Access Using Custom Login Form, Click Here .
Example related to Spring Security Authorized Access with Customized Login from Database Click Here .

In last Spring Security Authorized Access Control Example , if non authorized user try to access a protected page, default "http 403 access denied" will be display :

Project Directory structure-


Creating welcome page (welcome.jsp)
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>WELCOME TO SECURE AREA</title>
</head>
<body>
 <h1>Message : ${message}</h1> 
 <h1>Author : ${author}</h1> 
 <a href='<c:url value="/j_spring_security_logout" />' > Logout</a>
</body>
</html>

Assume below is your customized 403 page:
403.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>HTTP Status 403 - Access is denied</title>
</head>
<body>
 <h1>Message : ${message}</h1> 
</body>
</html>

Creating AdminController class (AdminController.java)
AdminController.java

package com.dineshonjava.admin.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

/**
 * @author Dinesh Rajput
 *
 */
@Controller
public class AdminController {
 
 @RequestMapping(value = "/admin", method = RequestMethod.GET)
 public String welcomeAdmin(ModelMap model, Principal principal) {
  String username = principal.getName();
  model.addAttribute("author", username);
  model.addAttribute("message", "Hello Spring Security - ADMIN PAGE");
  return "welcome";

 }

 @RequestMapping(value = "/index", method = RequestMethod.GET)
 public String printMessage(ModelMap model, Principal principal) {

  String username = principal.getName();
  model.addAttribute("author", username);
  model.addAttribute("message", "Hello Spring Security - USER LOGIN");
  return "welcome";
 }
 
 @RequestMapping(value = "/403", method = RequestMethod.GET)
 public String accessDenied(ModelMap model, Principal principal) {
  String username = principal.getName();
  model.addAttribute("message", "Sorry "+username+" You don't have privileges to view this page!!!");
  return "403";
 }

}

Spring Securing Configuration file (sdnext-security.xml)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:p="http://www.springframework.org/schema/p" 
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

 <security:http auto-config="true">
  <security:intercept-url pattern="/admin*" access="ROLE_ADMIN" />
  <security:logout logout-success-url="/index" />
  <security:intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
  <security:logout logout-success-url="/index" />
  <security:access-denied-handler error-page="/403"/>
 </security:http>

    <security:authentication-manager>
   <security:authentication-provider>
     <security:user-service>
      <security:user name="user_dineshonjava" password="sweetu" authorities="ROLE_USER" />
      <security:user name="admin_dineshonjava" password="sweetu" authorities="ROLE_ADMIN" />
     </security:user-service>
     
   </security:authentication-provider>
 </security:authentication-manager>

</beans>

Spring Configuration File (sdnext-servlet.xml)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:context="http://www.springframework.org/schema/context"
 xmlns:tx="http://www.springframework.org/schema/tx"
 xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
 
 <context:component-scan base-package="com.dineshonjava.admin" />

 
 <bean id="jspViewResolver"
  class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass"
   value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/views/" />
  <property name="suffix" value=".jsp" />
 </bean>
  
</beans>

Running the example

Now, if non authorized user is access the protected page, your customize 403 page will be displayed :

When you try to access the admin using below URL :

http://localhost:8080/sdnext/spring_security_login;jsessionid=A576B0C8EFB29231141D4FD3DE15A751

You will get the below page :

When you try to access the admin page/section using a normal user login(Username : user_dineshonjava, Password: sweetu), you will get the below customized access denied page :



Download Source Code + Libs
SpringSecurityCustomAccessDeniedPage.zip

References-
http://www.dineshonjava.com/2013/02/spring-security-form-based-login-example.html
Spring Security
Spring Security documentation



                             <<previous<<             || index  ||         >>next>>

No comments:

Post a Comment