custom access denied page (#1133)

* custom access denied page * fix formatting, remove imports
2017-02-12 16:11:55 +02:00 · 2017-02-12 16:11:55 +02:00 · 424f55ac48
commit 424f55ac48
parent c6c3b71ba1
7 changed files with 82 additions and 11 deletions
--- a/spring-security-mvc-login/src/main/java/org/baeldung/security/CustomAccessDeniedHandler.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/security/CustomAccessDeniedHandler.java
@ -0,0 +1,30 @@
+package org.baeldung.security;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.log4j.Logger;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+
+    public static final Logger LOG = Logger.getLogger(CustomAccessDeniedHandler.class);
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException exc) throws IOException, ServletException {
+        Authentication auth = SecurityContextHolder.getContext()
+            .getAuthentication();
+        if (auth != null) {
+            LOG.warn("User: " + auth.getName() + " attempted to access the protected URL: " + request.getRequestURI());
+        }
+        
+        response.sendRedirect(request.getContextPath() + "/accessDenied");
+    }
+
+}
--- a/spring-security-mvc-login/src/main/java/org/baeldung/spring/MvcConfig.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/MvcConfig.java
@ -28,6 +28,7 @@ public class MvcConfig extends WebMvcConfigurerAdapter {
        registry.addViewController("/login.html");
        registry.addViewController("/homepage.html");
        registry.addViewController("/admin/adminpage.html");
+        registry.addViewController("/accessDenied");
    }

    @Bean
--- a/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
+++ b/spring-security-mvc-login/src/main/java/org/baeldung/spring/SecSecurityConfig.java
@ -1,5 +1,6 @@
 package org.baeldung.spring;

+import org.baeldung.security.CustomAccessDeniedHandler;
 import org.baeldung.security.CustomLogoutSuccessHandler;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -8,6 +9,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

@Configuration
@ -53,6 +55,9 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
        .logoutUrl("/perform_logout")
        .deleteCookies("JSESSIONID")
        .logoutSuccessHandler(logoutSuccessHandler());
+        //.and()
+        //.exceptionHandling().accessDeniedPage("/accessDenied");
+        //.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
        // @formatter:on
    }

@ -60,5 +65,10 @@ public class SecSecurityConfig extends WebSecurityConfigurerAdapter {
    public LogoutSuccessHandler logoutSuccessHandler() {
        return new CustomLogoutSuccessHandler();
    }
+    
+    @Bean
+    public AccessDeniedHandler accessDeniedHandler(){
+        return new CustomAccessDeniedHandler();
+    }

 }
--- a/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
+++ b/spring-security-mvc-login/src/main/resources/webSecurityConfig.xml
@ -19,10 +19,16 @@
            always-use-default-target="true"/>

        <logout logout-url="/perform_logout" delete-cookies="JSESSIONID" success-handler-ref="customLogoutSuccessHandler"/>
+
+        <!-- <access-denied-handler error-page="/accessDenied"/> -->
+        <access-denied-handler ref="customAccessDeniedHandler"/>
+    	
    </http>

    <beans:bean name="customLogoutSuccessHandler" class="org.baeldung.security.CustomLogoutSuccessHandler"/>

+    <beans:bean name="customAccessDeniedHandler" class="org.baeldung.security.CustomAccessDeniedHandler" />
+
    <authentication-manager>
        <authentication-provider>
            <user-service>
--- a/spring-security-mvc-login/src/main/webapp/WEB-INF/view/accessDenied.jsp
+++ b/spring-security-mvc-login/src/main/webapp/WEB-INF/view/accessDenied.jsp
@ -0,0 +1,15 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>Access Denied</title>
+</head>
+<body>
+<h2>Sorry, you do not have permission to view this page.</h2>
+
+Click <a href="<c:url value="/homepage.html" /> ">here</a> to go back to the Homepage.
+</body>
+</html>
--- a/spring-security-mvc-login/src/main/webapp/WEB-INF/view/homepage.jsp
+++ b/spring-security-mvc-login/src/main/webapp/WEB-INF/view/homepage.jsp
@ -4,21 +4,23 @@
 <head></head>

 <body>
-	<h1>This is the body of the sample view</h1>
+    <h1>This is the body of the sample view</h1>

-	<security:authorize access="hasRole('ROLE_USER')">
-		This text is only visible to a user
-		<br/>
-	</security:authorize>
+    <security:authorize access="hasRole('ROLE_USER')">
+        This text is only visible to a user
+        <br/> <br/>
+        <a href="<c:url value="/admin/adminpage.html" />">Restricted Admin Page</a>
+        <br/> <br/>
+    </security:authorize>
 	
-	<security:authorize access="hasRole('ROLE_ADMIN')">
-		This text is only visible to an admin
-		<br/>
+    <security:authorize access="hasRole('ROLE_ADMIN')">
+        This text is only visible to an admin
+        <br/>
        <a href="<c:url value="/admin/adminpage.html" />">Admin Page</a>
        <br/>
-	</security:authorize>
+    </security:authorize>
+
+    <a href="<c:url value="/perform_logout" />">Logout</a>

-	<a href="<c:url value="/perform_logout" />">Logout</a>
-	
 </body>
 </html>
--- a/spring-security-mvc-login/src/main/webapp/WEB-INF/web.xml
+++ b/spring-security-mvc-login/src/main/webapp/WEB-INF/web.xml
@ -43,8 +43,15 @@
        <url-pattern>/*</url-pattern>
    </filter-mapping>

+    <error-page>
+        <error-code>403</error-code>
+        <location>/accessDenied</location>
+    </error-page>
+	
    <!-- <welcome-file-list> -->
    <!-- <welcome-file>index.html</welcome-file> -->
    <!-- </welcome-file-list> -->
+    
+   

 </web-app>