Search code examples
javaspringspring-securityauthorizationrole-based

Role-based access denial handling in Spring Security - how to?


I'm working on Spring based application with Spring Security. I have users with different roles and would like to implement access denial handling depending on the role. More specifically the desired effect would be the following: when user tries to access a resource that he is not allowed to, I would like to distinguish between the case when the denial is because the user is not authenticated and the case when it is due to insufficient privileges (wrong role). The users who are not authenticated can be directed to the regular 403 page, but the ones with just a wrong role I would like to redirect to a form in which they could request granting appropriate role.

I'm thinking about either adding the "<access-denied-handler error-page="/xyz">" and implementing the xyz controller or somehow (not yet sure how) implement this as a custom filter.

How would you tackle the problem? Is there any best practice for that? Was trying to google for some examples as I would consider this as a quite common pattern, but no success.

Thanks a lot.


Solution

  • How would you tackle the problem?

    I would try to implement my custom AccessDeniedHandler and try to "register" it in the org.springframework.security.web.access.ExceptionTranslationFilter (read its class JavaDoc!)