Spring Security Customized Access Denied Page


 

Spring Security Customized Access Denied Page

In this section, you will learn about Customized Access Denied Page in Spring Security.

In this section, you will learn about Customized Access Denied Page in Spring Security.

Spring Security Customized Access Denied Page

In this section, you will learn about Customized Access Denied Page in Spring Security.

Access denied page appears when an unauthorized user which has not privileged for viewing a page/section , try to view it using their login & password. For example, when an unprivileged user tries to view an admin section pages , an error page will appear showing the error code 403 and a message "Access is denied". In this section, we will customize the access denied page.

Some helpful example related to this section is given below :

  • Example related to Spring Security Authorized Access Using Auto generated Login Form, Click Here .

  • Example related to Spring Security Authorized Access Using Custom Login Form, Click Here .

  • Example related to Spring Security Authorized Access with Customized Login from Database Click Here .

EXAMPLE

In the below example, two separate section exists user and admin. Both have separate logins but if user try to login into admin section, a customize access denied page will appear which is designed by us.

The project structure and jar file used is given below :

CODE

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>SpringSecurityAuthorizedAccessCustomLogin</display-name>
<servlet>
<servlet-name>Dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/Dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

<http auto-config="true">
<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
<logout logout-success-url="/admin" />
<intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
<logout logout-success-url="/index" />
<access-denied-handler error-page="/403"/>
</http>

<authentication-manager>
<authentication-provider>
<user-service>
<user name="user" password="roseindia" authorities="ROLE_USER" />
<user name="admin" password="deepak" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>

</beans:beans>

Dispatcher-servlet.xml

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context 
http://www.springframework.org/schema/context/spring-context-3.0.xsd">

<context:component-scan base-package="net.roseindia" />

<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/views/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>

<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>LoginMsg</value>
</list>
</property>
</bean>

</beans>

LoginController.java

package net.roseindia;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@Controller
public class LoginController {
@RequestMapping(value = "/admin", method = RequestMethod.GET)
public String welcomeAdmin(ModelMap model, Principal principal) {
String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security - ADMIN PAGE");
return "welcome";

}

@RequestMapping(value = "/index", method = RequestMethod.GET)
public String printMessage(ModelMap model, Principal principal) {

String username = principal.getName();
model.addAttribute("user", username);
model.addAttribute("msg", "Spring Security-USER LOGIN");
return "welcome";

}

@RequestMapping(value = "/403", method = RequestMethod.GET)
public String accessDenied(ModelMap model) {
model.addAttribute("msg", "You don't have privileges to view this page!!!");
return "403";

}
}

LoginMsg.properties

AbstractUserDetailsAuthenticationProvider.badCredentials=Wrong username\ /\ password

403.jsp

<html>
<body>
<h1>HTTP Status 403 - Access is denied</h1>
<h3>Message :<font color="Blue">${msg}</font></h3> 
</body>
</html>

welcome.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<body>
<h3>${msg}</h3> 
<h3>Username : ${user}</h3> 

<a href="<c:url value="/j_spring_security_logout" />" > Logoff</a>

</body>
</html>

OUTPUT

When you try to access the admin using below URL :

http://localhost:9090/SpringSecurityCustomAccessDeniedPage/admin

You will get the below page :

When you try to access the admin page/section using a normal user login(Username : user, Password: roseindia), you will get the below customized access denied page :

Download Source Code

Ads