stackoom
  简体   繁体   中英

Custom HTTP 403 page not working in Spring Security

 原文  2016-05-04 13:48:28       java/ spring/ spring-mvc/ spring-security

Question

I want to replace the default access denied page:

HTTP 403

With my custom page and my approach was this: 

@Configuration
@EnableWebSecurity
public class SecurityContextConfigurer extends WebSecurityConfigurerAdapter {

    @Autowired
private UserDetailsService userDetailsService;

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().antMatchers("/resources/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.sessionManagement().maximumSessions(1)
            .sessionRegistry(sessionRegistry()).expiredUrl("/");
    http.authorizeRequests().antMatchers("/").permitAll()
            .antMatchers("/register").permitAll()
            .antMatchers("/security/checkpoint/for/admin/**").hasRole("ADMIN")
            .antMatchers("/rest/users/**").hasRole("ADMIN").anyRequest()
            .authenticated().and().formLogin().loginPage("/")
            .defaultSuccessUrl("/welcome").permitAll().and().logout()
            .logoutUrl("/logout");
}

@Bean
public SessionRegistry sessionRegistry() {
    return new SessionRegistryImpl();
}

@Bean
public AuthenticationProvider daoAuthenticationProvider() {
    DaoAuthenticationProvider daoAuthenticationProvider = new DaoAuthenticationProvider();
    daoAuthenticationProvider.setUserDetailsService(userDetailsService);

    return daoAuthenticationProvider;

}

@Bean
public ProviderManager providerManager() {

    List<AuthenticationProvider> arg0 = new CopyOnWriteArrayList<AuthenticationProvider>();
    arg0.add(daoAuthenticationProvider());

    return  new ProviderManager(arg0);

}

@Bean(name = "myAuthenticationManagerBean")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    return super.authenticationManagerBean();
}

@Override
protected AuthenticationManager authenticationManager() throws Exception {
    return providerManager();
}

    @Bean
    public ExceptionTranslationFilter exceptionTranslationFilter() {
        ExceptionTranslationFilter exceptionTranslationFilter = 
                new ExceptionTranslationFilter(new CustomAuthenticationEntryPoint());
        exceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler());

        return exceptionTranslationFilter;
    }
    @Bean
    public AccessDeniedHandlerImpl accessDeniedHandler() {
        AccessDeniedHandlerImpl accessDeniedHandlerImpl = new 
                AccessDeniedHandlerImpl();
        accessDeniedHandlerImpl.setErrorPage("/page_403.jsp");
        System.out.println("ACCESS DENIED IS CALLED......");
        return accessDeniedHandlerImpl;
    }

    private class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint{

        @Override
        public void commence(HttpServletRequest request, HttpServletResponse response,
                AuthenticationException authenticationException) throws IOException,
                ServletException {

            response.sendError(HttpServletResponse.SC_FORBIDDEN,
                    "Access denied.");
        }

    }   

}

But with this config above I'm still not getting the job done and seeing the same

HTTP 403

Are there more bean which must be injected for this purpose?

2 answers

solution1
 3 ACCPTED  2016-05-04 14:08:58

Disclaimer : this is not only solution, but a working one.

In this case my approach would be as simple as possible which is add this method in your SecurityContext 

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.sessionManagement().maximumSessions(1)
            .sessionRegistry(sessionRegistry()).expiredUrl("/");
    http.authorizeRequests().antMatchers("/").permitAll()
            .antMatchers("/register").permitAll()
            .antMatchers("/security/checkpoint/for/admin/**").hasRole("ADMIN")
            .antMatchers("/rest/users/**").hasRole("ADMIN").anyRequest()
            .authenticated().and().formLogin().loginPage("/")
            .defaultSuccessUrl("/welcome").permitAll().and().logout()
            .logoutUrl("/logout").and()
            .exceptionHandling().accessDeniedPage("/page_403");//this is what you have to do here to get job done.
}

Reference: Custom 403 Page in Spring Security .

solution2
 1  2016-05-04 14:07:38

As @M. Deinum pointed out, you should tell Spring Security how to incorporate these beans. Anyway, there is a much simpler way for what you're trying to achieve: 

@Configuration
@EnableWebSecurity
public class SecurityContextConfigurer extends WebSecurityConfigurerAdapter {
    // Rest omitted

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                // The usual stuff
                .exceptionHandling()
                    .accessDeniedPage("/page_403.jsp")
                    .authenticationEntryPoint((request, response, authException) -> {
                        response.sendError(HttpServletResponse.SC_FORBIDDEN);
                    });
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question 403 Error for Custom Login Page Spring Security Change http 403 to 401 on failed custom spring security expression custom 403 error page with spring security configured via java code Spring Security Custom login page is not working Spring Boot + REST + Spring Security: how to generate a custom JSON response for HTTP 403 Spring security always returns HTTP 403 HTTP Status 403 - Access is denied Spring security spring security HTTP Status 403 - Access Denied Spring Security - j_spring_security_check - HTTP status 403 Spring Security Thyemleaf page 403 after login using custom login page
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM