Spring Security – Customize the 403 Forbidden/Access Denied Page – Spring Security – 自定义 403 Forbidden/Access Denied 页面

最后修改: 2017年 2月 14日

1. Introduction


In this article, we will show how to customize the access denied page in a Spring Security project.

在这篇文章中,我们将展示如何在Spring Security项目中定制拒绝访问的页面

This can be achieved either through the Spring Security configuration or web application configuration in the web.xml file.

这可以通过Spring Security配置或web.xml文件中的Web应用配置来实现。

In the remaining sections, we will take a more in-depth look at each of these options.


2. Custom JSP


Whenever a user attempts to access a page that is restricted to roles they do not have, the application will return a status code of 403, which means Access Denied.


In order to replace the Spring 403 status response page with a custom one, let’s first create a JSP file called accessDenied.jsp:


<h2>Sorry, you do not have permission to view this page.</h2>

Click <a href="<c:url value="/homepage.html" /> ">here</a>
to go back to the Homepage.

3. Spring Security Configuration


By default, Spring Security has an ExceptionTranslationFilter defined which handles exceptions of type AuthenticationException and AccessDeniedException. The latter is done through a property called accessDeniedHandler, which uses the AccessDeniedHandlerImpl class.

默认情况下,Spring Security定义了一个ExceptionTranslationFilter,它处理AuthenticationExceptionAccessDeniedException类型的异常。后者是通过一个名为accessDeniedHandler的属性完成的,它使用了AccessDeniedHandlerImpl类。

In order to customize this behavior to use our own page that we created above, we need to override the properties of the ExceptionTranslationFilter class. This can be done through either Java configuration or XML configuration.


3.1. Access Denied Page


Using Java, we can customize the 403 error handling process by using the accessDeniedPage() or accessDeniedHandler() methods while configuring the HttpSecurity element.


Let’s create an authentication configuration that restricts the “/admin/**” URLs to the ADMIN role and sets the access denied page to our custom accessDenied.jsp page:


protected void configure(final HttpSecurity http) throws Exception {
      // ...

Let’s take a look at the equivalent XML configuration for the access denied page:


<http use-expressions="true">
    <access-denied-handler error-page="/accessDenied"/>

3.2. Access Denied Handler


Using an access denied handler instead of a page has the advantage that we can define custom logic to be executed before redirecting to the 403 page. For this, we need to create a class that implements the AccessDeniedHandler interface and overrides the handle() method.


Let’s create a custom AccessDeniedHandler class that logs a warning message for every access denied attempt containing the user that made the attempt and the protected URL they were trying to access:


public class CustomAccessDeniedHandler implements AccessDeniedHandler {

    public static final Logger LOG
      = Logger.getLogger(CustomAccessDeniedHandler.class);

    public void handle(
      HttpServletRequest request,
      HttpServletResponse response, 
      AccessDeniedException exc) throws IOException, ServletException {
        Authentication auth 
          = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null) {
            LOG.warn("User: " + auth.getName() 
              + " attempted to access the protected URL: "
              + request.getRequestURI());

        response.sendRedirect(request.getContextPath() + "/accessDenied");

In the security configuration, we’ll define the bean and set the custom AccessDeniedHandler:


public AccessDeniedHandler accessDeniedHandler(){
    return new CustomAccessDeniedHandler();


If we want to configure the CustomAccessDeniedHandler class defined above using XML, the configuration will look slightly different:


<bean name="customAccessDeniedHandler" 
  class="com.baeldung.security.CustomAccessDeniedHandler" />

<http use-expressions="true">
    <access-denied-handler ref="customAccessDeniedHandler"/>

4. Application Configuration


Handling the access denied error can be done through the web.xml file of a web application, by defining an error-page tag. This contains two subtags called error-code, which specifies the status code to be intercepted, and location, which signifies the URL to which the user will be redirected in case the error code is encountered:

处理拒绝访问的错误可通过 Web 应用程序的 web.xml 文件完成,方法是定义一个 error-page 标签。该标签包含两个子标签,名为error-code,,它指定了要拦截的状态代码,以及location,,它标志着用户在遇到错误代码时将被重定向到的URL。


If an application does not have a web.xml file, as is the case with Spring Boot, the Spring annotations do not currently provide an exact alternative to the error-page tag. According to the Spring documentation, in this case, the recommended approach is to use the methods accessDeniedPage() and accessDeniedHandler() presented in section 3.

如果应用程序没有web.xml文件,如Spring Boot的情况,Spring注解目前没有提供error-page标签的确切替代方法。根据Spring文档,在这种情况下,推荐的方法是使用第3节中介绍的方法accessDeniedPage()accessDeniedHandler()

5. Conclusion


In this quick article, we have detailed the various ways that an access denied error can be handled using a custom 403 page.


The complete source code of the article can be found in the GitHub project.