Apache Shiro using "unauthorizedUrl"

Question

I would like to secure all my JSF pages with permissions. E.g. portal/customerEdit.jsf can be open, only if the user has permission "customer:create".

Here is my current shiro-web.ini

    # Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /common/login.jsf
authc.successUrl = /portal/dashboard.jsf


# Redirect to an access denied page if user does not have access rights
[roles]
roles.unauthorizedUrl = /common/access-denied.jsf

# Protected URLs
[urls]
/portal/customerEdit** = authc, perms["customer:create"]

/WEB-INF/layout/portal/** = authc
/portal/** = authc
/admin/** = authc

The security is working (user can open the page only, if he has the permission), but I got only a blank screen with a simple text..

What I would like to do is to redirect the user to a access-denied.jsf page (like I defined), but this is not working....
One information: I´m not using "roles"... All my roles are dynamic from the database...

Any idea how I can solve this, that the user will be redirect to the access-denied.jsf page?

Answer 1

You would want to set the unauthorizedUrl against the filter that you are using in your top section (not the roles section):

perms.unauthorizedUrl = ...

or set it globally with shiro.unauthorizedUrl

My guess is something like this would work:

# Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /common/login.jsf
authc.successUrl = /portal/dashboard.jsf

# Redirect to an access denied page if user does not have access rights
perms.unauthorizedUrl = /common/access-denied.jsf

# Protected URLs
[urls]
/portal/customerEdit** = authc, perms["customer:create"]

/WEB-INF/layout/portal/** = authc
/portal/** = authc
/admin/** = authc

Keep us posted!