Spring security custom exception handler with preauth

Question

I'm trying to configure some custom exception handling with Spring Security 3.1.2. I tried following the examples I found here and here, but neither works. I'm new to Spring Security, and I'm wondering if this might have something to do with the fact that I'm using a preauth filter. I'm throwing my custom exceptions from within the loadUserDetails() method of my AuthenticationUserDetailsService implementation.

public class AuthServiceImpl implements AuthenticationUserDetailsService<Authentication> {
  @Autowired
  private AuthDao authDao;

  @Override
  public UserDetails loadUserDetails(Authentication auth) throws UsernameNotFoundException {
    Request req = (Request) auth.getPrincipal();

    //get user details
    User u = authDao.loadUser(req.getSessionId());

    //check user rights for requested action
    if(!u.getRights().contains(req.getAction()){
      throw new CustomAuthException("User does not have permission to perform this action");
    }

    return u;
  }
}

When the exception is thrown I just get the normal Tomcat 500 page with the exception details. For whatever reason my custom exceptions are not getting handled at all. I even added some println()s in the custom handler, and it's not even being called.

I'm starting to wonder if this method is somehow excluded from Spring's exception handling. I can provide more code examples if needed, but at this point I'm not sure what would be relevant to share.

Answer 1

You use SimpleMappingExceptionResolver. It is a Spring MVC component. So when you have some exception during execution of some controller then DispatcherServlet will call SimpleMappingExceptionResolver. The problem is that your AuthenticationUserDetailsService implementation is used only during login action. And this action is processed by Spring Security filter directly (Spring MVC is not used). Request does not reach DispatcherServlet and SimpleMappingExceptionResolver will never be called for this case.