AccessDeniedException not going to accessDenied.xhtml

Hi All,
I'm currently writting a spring 3 security app with jsf2.
I have setup my applicationContext_security.xml that contains:-

<sec:global-method-security access-decision-manager-ref="accessDecisionManager" pre-post-annotations="enabled" jsr250-annotations="enabled"/> <sec:http use-expressions="true" access-denied-page="/pages/static/accessDenied.xhtml"> <sec:intercept-url pattern="/pages/static/**" access="isAuthenticated()" /> <sec:intercept-url pattern="/faces/admin/**" access="hasAnyRole('PERM_MY_1')" /> <sec:intercept-url pattern="/faces/login**" access="hasAnyRole('ROLE_ANONYMOUS')" /> <sec:form-login login-page="/faces/login.xhtml" default-target-url="/faces/bikesShop.xhtml" authentication-failure-url="/faces/failed.xhtml?state=failure" /> <sec:logout logout-url="/j_spring_security_logout" logout-success-url="/"/> </sec:http>

I have one of service method that I guard as follows:-
@RolesAllowed({"PERM_MY_1"})
public abstract Bike getBike(Integer id);

How do I get the accessDenied.xhtml page to be displayed if the user does not have PERM_MY_1

I have noticed the following example:-
<global-method-security pre-post-annotations="enabled" > <expression-handler ref="expressionHandler"/> </global-method-security> <beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> <beans:property name="permissionEvaluator" ref="permissionEvaluator"/> </beans:bean>

Would I have to implement a DefaultMethodSecurityExpressionHandler and then some how direct a request to accessDenied.xhtml

Inside web.xml i have the followong:-
<error-page> <exception-type>org.springframework.security.access.AccessDeniedException</exception-type> <location>/faces/login.xhtml</location> </error-page>

Not sure what approach to take.

Mat

Can you post your web.xml?

Hi Vyas,
the following is my web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>JSFSample</display-name> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>/WEB-INF/applicationContext*.xml</param-value> </context-param> <context-param> <param-name>javax.faces.PROJECT_STAGE</param-name> <param-value>Development</param-value> </context-param> <context-param> <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name> <param-value>true</param-value> </context-param> <context-param> <param-name>com.sun.faces.expressionFactory</param-name> <param-value>com.sun.el.ExpressionFactoryImpl</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> <dispatcher>FORWARD</dispatcher> <dispatcher>REQUEST</dispatcher> </filter-mapping> <servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>/faces/*</url-pattern> <url-pattern>*.xhtml</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>faces/login.xhtml</welcome-file> </welcome-file-list> <error-page> <exception-type>org.springframework.security.access.AccessDeniedException</exception-type> <location>/faces/failed.xhtml</location> </error-page> </web-app>

I have <sec:debug /> set within applicationContext_security.xml and the following is displayed when I enter an incorrect password
org.springframework.security.access.AccessDeniedException: Access is denied

Since I'm guarding the following, how can I control what jsf is displayed to the user if the user does not have this role

@RolesAllowed({"PERM_MY_1"}) public abstract Bike getBike(Integer id);

Mat

hi,
Please check the security configuration properly.

Hi Miku,
not sure what I have done wrong here. I understand that if I get an authentication error then accessDenied.xhtml will be diaplayed.
Not sure how it works for Authentication as I would still like to display accessDenied.xhtml.

Have I missed something. This is my first attempt at spring 3 security.

Mat

Hi Miku,
made a slight mistake, i'm guarding the following method with role PERM_MY_2
@RolesAllowed({"PERM_MY_2"}) public abstract Bike getBike(Integer id);

The user currently has role PER_MY_1, hence wen he attempts to use the method getBike(Integer id)
I get a org.springframework.security.access.AccessDeniedException that is diplayed in the eclipse console.
I'm not sure how then get the accessDenied.xhtml page displayed or how to handle the expection.

Any ideas

Mat

Hi All,
sorry for asking again, but Im desprate to solve this one.
Can anybody shine any light on what I'm doing wrong.

Mat

Hi All,
I found a solution to this, just incase anybody had a similar problem.

It looks like access-denied-page does not work under spring3
<sec:http use-expressions="true" access-denied-page="/pages/static/accessDenied.xhtml">

Hence I had to create an accessDeniedHandler
<access-denied-handler ref="accessDeniedHandler"/> <bean id="accessDeniedHandler" class="com.handlers.MyAccessDeniedHandler"> <property name="accessDeniedUrl" value="/pages/static/accessDenied.xhtml" /> </bean>

public class MyAccessDeniedHandler implements AccessDeniedHandler { private String accessDeniedUrl; public MyAccessDeniedHandler() { } public MyAccessDeniedHandler(String accessDeniedUrl) { this.accessDeniedUrl = accessDeniedUrl; } @Override public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException { response.sendRedirect(accessDeniedUrl); request.getSession().setAttribute("message", "You do not have permission to access this page!"); } public String getAccessDeniedUrl() { return accessDeniedUrl; } public void setAccessDeniedUrl(String accessDeniedUrl) { this.accessDeniedUrl = accessDeniedUrl; } }

I hope this helps any body who had a similar problem.

Mat