Menu
I am using Spring Security 3.0.4. I have a bunch of web service which are protected by Spring Security. When I access them as an unauthenticated user, Spring Security redirects to login page. Instead of that, I want to return HTTP 403 error. How can I achieve that?
Here is my security config:
<http auto-config="false" use-expressions="true" > <intercept-url pattern="/authorization.jsp" access="permitAll"/> <intercept-url pattern="/registration.jsp" access="permitAll"/> <intercept-url pattern="/api/authorization/auth" access="permitAll"/> <intercept-url pattern="/api/authorization/new" access="permitAll"/> <intercept-url pattern="/api/accounts/new" access="permitAll"/> <intercept-url pattern="/app/**" access="permitAll"/> <intercept-url pattern="/extjs/**" access="permitAll"/> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <form-login login-page="/authorization.jsp" default-target-url="/index.jsp" authentication-failure-url="/registration.jsp?login_error=1" always-use-default-target="true" /> <logout logout-success-url="/authorization.jsp" logout-url="/j_spring_security_logout" invalidate-session="true"/> </http> 
726
Using Java, we can customize the 403 error handling process by using the accessDeniedPage() or accessDeniedHandler() methods while configuring the HttpSecurity element.
access. AccessDeniedException("403 returned"); This returns a 403 in the response header. This works perfectly and should be the accepted answer because it's most flexible.
Since this is an exception handling, we are using the Spring security . excepTionHandling() method and telling that we like to handle the access denied use case by passing custom access denied handler to the accessDeniedHandler() method ( . exceptionHandling(). accessDeniedHandler(accessDeniedHandler() ).
For java configuration you need to do
http.exceptionHandling().authenticationEntryPoint(alwaysSendUnauthorized401AuthenticationEntryPoint); Where alwaysSendUnauthorized401AuthenticationEntryPoint is innstance of class
public class AlwaysSendUnauthorized401AuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public final void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { LOGGER.debug("Pre-authenticated entry point called. Rejecting access"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); } } This disables default behavior of Spring (redirecting unauthenticated requests to login form).
Side note: for such case HTTP code SC_UNAUTHORIZED(401) is better choice than SC_FORBIDDEN(403).
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
