Spring Security

Customize http 403 access denied page in Spring Security

In this tutorial we will discuss about the using custom access denied page or 403 page(Customized Access Denied Page in Spring Security) for access control for a specific resource or url.

Access denied page appears when an unauthorized user which has not privileged for viewing a page/section , try to view it using their login & password. For example, when an unprivileged user tries to view an admin section pages , an error page will appear showing the error code 403 and a message “Access is denied”. In this section, we will customize the access denied page.

In the below example, we will ensure secure URL access by providing auto generated Login form using Spring Security. User needs to provide correct login credential to view the page. For accessing admin section, you need to provide admin login and password. While for user section, both admin and user login are permitted. If you access with non admin privileges then it redirect to the custom access denied page as follows.
There are two ways for using custom denied page.

1. access-denied-handler

<security:http auto-config="true">
   <security:intercept-url pattern="/admin*" access="ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:access-denied-handler error-page="/403"/>
</security:http>

 

Tag- access-denied-handler
Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to  an AccessDeniedHandler instance.

Attribute- error-page
The access denied page that an authenticated user will be redirected to if they request a page which they don’t  have the authority to access.

It means the user with authority as ROLE_ADMIN can have access to URL /admin . Also, the URL /index is open for both type of users having authority ROLE_USER or ROLE_ADMIN . If non authorized user try to access /admin, a “http 403 access denied custom page(403.jsp)” will be displayed.

2. AccessDeniedHandler:

In second way, create a class and implements Spring’s AccessDeniedHandler, override handle() method and put your access denied logic inside.

package com.dineshonjava.error.handler;
 
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
 
public class MyAccessDeniedHandler implements AccessDeniedHandler {
 private String accessDeniedUrl;
 
 public MyAccessDeniedHandler() {
 }
 
 public MyAccessDeniedHandler(String accessDeniedUrl) {
  this.accessDeniedUrl = accessDeniedUrl;
 }
 
 @Override
 public void handle(HttpServletRequest request,
  HttpServletResponse response,
  AccessDeniedException accessDeniedException) throws IOException,
  ServletException {
 
    response.sendRedirect(accessDeniedUrl);
    request.getSession().setAttribute("message",
  " Sorry user_dineshonjava You don't have privileges to view this page!!!");
 
 }
 
 public String getAccessDeniedUrl() {
  return accessDeniedUrl;
 }
 
 public void setAccessDeniedUrl(String accessDeniedUrl) {
  this.accessDeniedUrl = accessDeniedUrl;
 }
}

Declares above Spring bean.

<bean id="accessDeniedHandler" class="com.dineshonjava.error.handler.MyAccessDeniedHandler">
 <property name="accessDeniedUrl" value="403" />
  </bean>

<security:http auto-config="true">
   <security:intercept-url pattern="/admin*" access="ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:intercept-url pattern="/index*" access="ROLE_USER,ROLE_ADMIN" />
   <security:logout logout-success-url="/index" />
   <security:access-denied-handler ref="accessDeniedHandler"/>
</security:http>

Some helpful example related to this section is given below :
Example related to Spring Security Authorized Access Using Auto generated Login Form, Click Here .
Example related to Spring Security Authorized Access Using Custom Login Form, Click Here .
Example related to Spring Security Authorized Access with Customized Login from Database Click Here .

In last Spring Security Authorized Access Control Example , if non authorized user try to access a protected page, default “http 403 access denied” will be display :

Project Directory structure-

Creating welcome page (welcome.jsp)

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>WELCOME TO SECURE AREA</title>
</head>
<body>
 <h1>Message : ${message}</h1> 
 <h1>Author : ${author}</h1> 
 <a href='<c:url value="/j_spring_security_logout" />' > Logout</a>
</body>
</html>

Assume below is your customized 403 page:
403.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>HTTP Status 403 - Access is denied</title>
</head>
<body>
 <h1>Message : ${message}</h1> 
</body>
</html>

Creating AdminController class (AdminController.java)
AdminController.java

package com.dineshonjava.admin.controller;

import java.security.Principal;

import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

/**
 * @author Dinesh Rajput
 *
 */
@Controller
public class AdminController {
 
 @RequestMapping(value = "/admin", method = RequestMethod.GET)
 public String welcomeAdmin(ModelMap model, Principal principal) {
  String username = principal.getName();
  model.addAttribute("author", username);
  model.addAttribute("message", "Hello Spring Security - ADMIN PAGE");
  return "welcome";

 }

 @RequestMapping(value = "/index", method = RequestMethod.GET)
 public String printMessage(ModelMap model, Principal principal) {

  String username = principal.getName();
  model.addAttribute("author", username);
  model.addAttribute("message", "Hello Spring Security - USER LOGIN");
  return "welcome";
 }
 
 @RequestMapping(value = "/403", method = RequestMethod.GET)
 public String accessDenied(ModelMap model, Principal principal) {
  String username = principal.getName();
  model.addAttribute("message", "Sorry "+username+" You don't have privileges to view this page!!!");
  return "403";
 }

}

Spring Securing Configuration file (sdnext-security.xml)

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:>
Spring Configuration File (sdnext-servlet.xml)
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:context="http://www.springframework.org/schema/context"
 xmlns:tx="http://www.springframework.org/schema/tx"
 xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd">
 
 <context:component-scan base-package="com.dineshonjava.admin" />

 
 <bean id="jspViewResolver"
  class="org.springframework.web.servlet.view.InternalResourceViewResolver">
  <property name="viewClass"
   value="org.springframework.web.servlet.view.JstlView" />
  <property name="prefix" value="/WEB-INF/views/" />
  <property name="suffix" value=".jsp" />
 </bean>
  
</beans>

Running the example

Now, if non authorized user is access the protected page, your customize 403 page will be displayed :

When you try to access the admin using below URL :

http://localhost:8080/sdnext/spring_security_login;jsessionid=A576B0C8EFB29231141D4FD3DE15A751

You will get the below page :

When you try to access the admin page/section using a normal user login(Username : user_dineshonjava, Password: sweetu), you will get the below customized access denied page :

Download Source Code + Libs
SpringSecurityCustomAccessDeniedPage.zip

References-
https://www.dineshonjava.com/spring-security-form-based-login-example/
Spring Security
Spring Security documentation

 

                             <<previous<<             || index  ||         >>next>>

 

Previous
Next
Dinesh Rajput

Dinesh Rajput is the chief editor of a website Dineshonjava, a technical blog dedicated to the Spring and Java technologies. It has a series of articles related to Java technologies. Dinesh has been a Spring enthusiast since 2008 and is a Pivotal Certified Spring Professional, an author of a book Spring 5 Design Pattern, and a blogger. He has more than 10 years of experience with different aspects of Spring and Java design and development. His core expertise lies in the latest version of Spring Framework, Spring Boot, Spring Security, creating REST APIs, Microservice Architecture, Reactive Pattern, Spring AOP, Design Patterns, Struts, Hibernate, Web Services, Spring Batch, Cassandra, MongoDB, and Web Application Design and Architecture. He is currently working as a technology manager at a leading product and web development company. He worked as a developer and tech lead at the Bennett, Coleman & Co. Ltd and was the first developer in his previous company, Paytm. Dinesh is passionate about the latest Java technologies and loves to write technical blogs related to it. He is a very active member of the Java and Spring community on different forums. When it comes to the Spring Framework and Java, Dinesh tops the list!

Share
Published by
Dinesh Rajput

Recent Posts

Strategy Design Patterns using Lambda

Strategy Design Patterns We can easily create a strategy design pattern using lambda. To implement…

2 years ago

Decorator Pattern using Lambda

Decorator Pattern A decorator pattern allows a user to add new functionality to an existing…

2 years ago

Delegating pattern using lambda

Delegating pattern In software engineering, the delegation pattern is an object-oriented design pattern that allows…

2 years ago

Spring Vs Django- Know The Difference Between The Two

Technology has emerged a lot in the last decade, and now we have artificial intelligence;…

2 years ago

TOP 20 MongoDB INTERVIEW QUESTIONS 2022

Managing a database is becoming increasingly complex now due to the vast amount of data…

2 years ago

Scheduler @Scheduled Annotation Spring Boot

Overview In this article, we will explore Spring Scheduler how we could use it by…

3 years ago