Spring Security Customized Access Denied Page
In this section, you will learn about Customized Access Denied Page in Spring Security.
In this section, you will learn about Customized Access Denied Page in Spring Security.Spring Security Customized Access Denied Page
In this section, you will learn about Customized Access Denied Page in Spring Security.
Access denied page appears when an unauthorized user which has not privileged for viewing a page/section , try to view it using their login & password. For example, when an unprivileged user tries to view an admin section pages , an error page will appear showing the error code 403 and a message "Access is denied". In this section, we will customize the access denied page.
Some helpful example related to this section is given below :
- Example related to Spring Security Authorized Access Using Auto generated Login Form,
Click Here .
- Example related to Spring Security Authorized Access Using Custom Login Form,
Click Here .
- Example related to Spring Security Authorized Access with Customized Login from
Database
Click Here .
EXAMPLE
In the below example, two separate section exists user and admin. Both have separate logins but if user try to login into admin section, a customize access denied page will appear which is designed by us.
The project structure and jar file used is given below :
CODE
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>SpringSecurityAuthorizedAccessCustomLogin</display-name> <servlet> <servlet-name>Dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/Dispatcher-servlet.xml, /WEB-INF/spring-security.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd"> <http auto-config="true"> <intercept-url pattern="/admin*" access="ROLE_ADMIN" /> <logout logout-success-url="/admin" /> <intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" /> <logout logout-success-url="/index" /> <access-denied-handler error-page="/403"/> </http> <authentication-manager> <authentication-provider> <user-service> <user name="user" password="roseindia" authorities="ROLE_USER" /> <user name="admin" password="deepak" authorities="ROLE_ADMIN" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
Dispatcher-servlet.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd"> <context:component-scan base-package="net.roseindia" /> <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="prefix"> <value>/WEB-INF/views/</value> </property> <property name="suffix"> <value>.jsp</value> </property> </bean> <bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource"> <property name="basenames"> <list> <value>LoginMsg</value> </list> </property> </bean> </beans>
LoginController.java
package net.roseindia;
import java.security.Principal;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@Controller
public class LoginController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security - ADMIN PAGE");
return "welcome";
}
@RequestMapping(value = "/index", method = RequestMethod.GET)
public String printMessage(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security-USER LOGIN");
return "welcome";
}
@RequestMapping(value = "/403", method = RequestMethod.GET)
public String accessDenied(ModelMap model) {
model.addAttribute("msg", "You don't have privileges to view this page!!!");
return "403";
}
}
LoginMsg.properties
AbstractUserDetailsAuthenticationProvider.badCredentials=Wrong username\ /\ password
403.jsp
<html>
<body>
<h1>HTTP Status 403 - Access is denied</h1>
<h3>Message :<font color="Blue">${msg}</font></h3>
</body>
</html>
welcome.jsp
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h3>${msg}</h3>
<h3>Username : ${user}</h3>
<a href="<c:url value="/j_spring_security_logout" />" > Logoff</a>
</body>
</html>
OUTPUT
When you try to access the admin using below URL :
http://localhost:9090/SpringSecurityCustomAccessDeniedPage/admin
You will get the below page :
When you try to access the admin page/section using a normal user login(Username : user, Password: roseindia), you will get the below customized access denied page :
