How to redirect unauthorized user to certain JSP page? (using declarative role based authorization)

Question

[working with JEE, MVC-JSP + Servlets, TomEE server, MySQL]

I am using declarative form based authentication, role based authorization. So, basically my web.xml has following content:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>secured</web-resource-name>
        <url-pattern>/somePage.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>ADMINISTRATOR</role-name>
</security-role>
<security-role>
    <role-name>USER</role-name>
</security-role>

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
</login-config>

User with ADMINISTRATOR role is allowed to access somePage.jsp. And when user with USER role tries to access somePage.jsp, (normally) access is denied with page HTTP Status 403 - Access to the requested resource has been denied returned in browser.

I would like when unauthorized user tries to access somePage.jsp to redirect to some another jsp page that will contain appropriate message. How can this be done? Or, what is the practice of handling unauthorized user access atempts?

Answer 1

You'd normally create a custom 403 error page and mapping in the web.xml. You'd have this mapped in your web.xml with something like...

<error-page>
    <!-- Forbidden directory listing -->
    <error-code>403</error-code>
    <location>/general-error.html</location>
</error-page>

/general-error.html would be your custom 403 error page. My understanding is these pages should be relatively generic as all the webapp has at the time is the error code, so they should be the same for all users.