-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AccessDeniedHandler cannot handle exception thrown from AuthorizationManagerBeforeMethodInterceptor #12951
Comments
Hi, @insight720. Instead of a screenshot, will you please provide a minimal sample application? This will help get your issue addressed faster. |
Sure. @jzheaux My application context info
Key Code
@Configuration
@EnableWebSecurity
@EnableMethodSecurity // use Method Security
public class SpringSecurityConfig {
@Configuration
@RequiredArgsConstructor
public static class SecurityFilterChainConfig {
// autowired
private final AccessDeniedHandler accessDeniedHandler;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
// accessDeniedHandler is configured
http.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.accessDeniedHandler(accessDeniedHandler);
return http.build();
}
}
@PreAuthorize("hasAuthority('ROLE_ADMIN')")
@PutMapping("/authority")
public Result<Void> modifyAccountAuthority(@Valid @RequestBody AccountAuthorityDTO accountAuthorityDTO) {
userAccountService.updateAccountAuthority(accountAuthorityDTO);
return ResultUtils.success();
}
My question is, is this situation normal? Or is this a BUG? |
hi i have exactly same problem. is there any way? |
@imaxkhan I am waiting for reply, and I have not further studied this issue at the moment. You can try whether |
Hi, i have the same failure with Spring Boot 3.0.5 and Spring Security 6.0.2. Yes, the exception can be handled with @ControllerAdvice, but we cannot distinguish between authentication or authorization errors, which is the case with the AccessDeniedHandler. Furthermore the API to register an dedicated AccessDeniedHandler within the HttpSecurity is not working as documented and the ExceptionTranslationFilter, which has the aim to handle this kind of failure gets never called. |
Are we triaging this issue? Spring Security 6.0.2 |
I updated the dependencies to Spring Boot 3.1.2 and Spring Security 6.1.2 and the failure is still present. |
Hi everyone, if you clone my sample and perform the request |
I compared my configuration with the above provided one and found a configuration failure on my side. I would like to apologize for the inconvenience. I have defined a Thus, my error message is invalid and no longer valid. |
Thanks for the update, @Drophoff, and I'm glad you and @marcusdacoregio were able to sort things out. |
I imported the exceptions from Spring Security and it worked.
SecurityConfig does not need exceptionHandling to work.
|
Now if you want to customize the response error message. My DTO
Create the CustomAccessDeniedHandler class and implement import org.springframework.security.web.access.AccessDeniedHandler;
Now, in SecurityConfig, you need to add exceptionHandling.
Now ExceptionHandler removes AccessDeniedException.class and AuthorizationDeniedException.class.
|
Expected Behavior
The
AccessDeniedHandler
should be able to handle allAccessDeniedException
.Current Behavior
The
AccessDeniedException
thrown from theAuthorizationManagerBeforeMethodInterceptor
does not appear to have been processed by theExceptionTranslationFilter
. Is this normal, a point that needs enhancement, or a bug? I am not sure. Please help me with my doubts, thank you.Context
As shown in the figure, I correctly configured the
AccessDeniedHandler
, but theAccessDeniedException
thrown due to using@ PreAuthorize
will not be processed by it.The text was updated successfully, but these errors were encountered: