spring security authentication required page

Question

I use Spring Security 3.0.7

I have a web security rule in the config file to allow the access to some pages just to authenticated users:

<intercept-url pattern="/faces/paginas/secured/**" access="isAuthenticated()"/>

When an anonymous user tries to access any of those pages, the login form is rendered, in order to enter the usename and password.

This is the default behaviour.

But is there any way to render a custom page instead of the login form? (for example, a page just showing a message like "Access denied")

Answer 1

Why not add authentication-failure-url attribute to form-login tag?

<form-login login-page="/login.htm"
                        default-target-url="/successview.htm"
                        always-use-default-target="true"
                        authentication-failure-url = "/accessdenied.htm?login_error=1" />

Answer 2

You have to specify your access denied page via

<form-login login-page="/accessDenied.htm" />

To enable "normal login", you have to wire up another page which submits its login form to /j_spring_security_check (if you don't change the defaults).

Answer 3

As it is written in Spring Security Documentation (section 9.2) you can specify accessDeniedHandler which could handle the 403 error (forbidden):

<bean id="accessDeniedHandler"
     class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
  <property name="errorPage" value="/accessDenied.htm"/>
</bean>

Further in point 9.2.2 you can read:

By default, an AccessDeniedHandlerImpl is used, which just sends a 403 (Forbidden) response to the client. Alternatively you can configure an instance explicitly (as in the above example) and set an error page URL which it will forwards the request to. This can be a simple “access denied” page, such as a JSP, or it could be a more complex handler such as an MVC controller. And of course, you can implement the interface yourself and use your own implementation.