BasicErrorController doesn't catch errors

[Mateusz Brycki]

Hi,
I develop application written in Spring with pac4j. Everything works fine: login, logout, interceptors, authorizers but I have problems with catching 403 error code.

At first some configuration:

Pac4j.java

    @Bean

    public Config config() {

        final CasClient casClient = new CasClient();

        // casClient.setGateway(true);

        casClient.setCasLoginUrl(environment.getProperty("cas.login.page"));

        casClient.setCasProtocol(CasClient.CasProtocol.CAS20);

        casClient.setLogoutHandler(new CasSingleSignOutHandler());

        casClient.addAuthorizationGenerator(new RolesAuthorizationGenerator());

        final Clients clients = new Clients(environment.getProperty("pac4j.application.callback"), casClient);

        final Config config = new Config(clients);

        config.addAuthorizer("admin", new RequireAnyRoleAuthorizer("ROLE_ADMIN"));

        config.addAuthorizer("user", new RequireAnyRoleAuthorizer("ROLE_USER", "ROLE_ADMIN"));

        config.addAuthorizer("custom", new CustomAuthorizer());

        return config;

    }

ApplicationConfig.java

    @Override

    public void addInterceptors(InterceptorRegistry registry) {

        registry.addInterceptor(new RequiresAuthenticationInterceptor(config, "CasClient", "user")).addPathPatterns("/cas/*");

        registry.addInterceptor(new RequiresAuthenticationInterceptor(config, "CasClient", "admin")).addPathPatterns("/admin/*");

    }

Application.java (@Controller)

    @RequestMapping("/admin/index.html")

    public String protectAdmin(HttpServletRequest request, HttpServletResponse response, Map<String, Object> map) {

        return "admin";

    }

ErrorController.java

@Controller

public class ErrorController extends BasicErrorController {

public ErrorController() {

super(new DefaultErrorAttributes());

}

@RequestMapping(

value = {"${error.path:/error}"},

produces = {"text/html"}

)

public ModelAndView errorHtml(HttpServletRequest request) {

final HttpStatus status = getStatus(request);

if (status == HttpStatus.UNAUTHORIZED) {

return new ModelAndView("error401");

} else if (status == HttpStatus.FORBIDDEN) {

return new ModelAndView("error403");

} else {

return new ModelAndView("error500");

}

}

private HttpStatus getStatus(HttpServletRequest request) {

Integer statusCode = (Integer)request.getAttribute("javax.servlet.error.status_code");

if(statusCode != null) {

try {

return HttpStatus.valueOf(statusCode.intValue());

} catch (Exception e) {

}

}

return HttpStatus.INTERNAL_SERVER_ERROR;

}

}

When I login as user with role "USER_ROLE" and open "admin/index.html" I get default 403 error page: HTTP STATUS 403 - ROLE_ADMIN required.

User profile:

profile : | id: mateusz | attributes: {roles=ROLE_USER, id=3, username=mateusz} | roles: [ROLE_USER] | permissions: [] | isRemembered: false | 

On the tomcat console I can see that role is recognized correctly:

SPRING WEB PAC4J DEMO 13:09:29.081 [http-nio-8443-exec-153] DEBUG o.p.s.w.RequiresAuthenticationInterceptor - authorizerName: admin

SPRING WEB PAC4J DEMO 13:09:29.081 [http-nio-8443-exec-153] DEBUG o.p.s.w.RequiresAuthenticationInterceptor - forbidden

When I open "/error" page I get:

internal error

Home

so paths to jsp files are appropriate.

I also tried to redirect errors using:

@Configuration

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http

            .exceptionHandling()

                .accessDeniedPage("/error");

    }

}

but it doesn't work as well.

Where do I make mistake? Do you see something missing? 

[Jérôme LELEU]

Hi,

You are using the spring-webmvc-pac4j library, aren't you? Is it a Spring Boot application? Or a Spring web MVC one?

You have two example demos: https://github.com/pac4j/spring-webmvc-pac4j-demo & https://github.com/pac4j/spring-webmvc-pac4j-boot-demo, one for each environment

The http.exceptionHandling.accessDeniedPage is for Spring Security which is not needed when using spring-webmvc-pac4j

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "pac4j-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mateusz Brycki]

Yes, I use spring-webmvc-pac4j. My application bases on spring-web-mvc-pac4j-demo and I wanted to migrate it to boot version. I had a lot of problems with starting SB example, now I don't remember why but I saw both examples. When you look at my ErrorController and MyErrorController (from the example) codes they are same. I cannot find any mistake in configuration.

Thank you for your response, I'm going to check everything again :)

[Jérôme LELEU]

Hi,

I don't see anything wrong. I checked the Spring Boot demo again and it works.

I have this mapping at startup:

2015-11-16 10:40:48.692  INFO 12223 --- [ac4jDemo.main()] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],produces=[text/html]}" onto public org.springframework.web.servlet.ModelAndView org.pac4j.demo.spring.controller.MyErrorController.errorHtml(javax.servlet.http.HttpServletRequest)

2015-11-16 10:40:48.692  INFO 12223 --- [ac4jDemo.main()] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error]}" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)

Do you have those as well?

Thanks.

Best regards,

Jérôme

[Mateusz Brycki]

Hello,

I moved my whole code to spring-webmvc-pac4j-boot-demo, because before I tried to run it using maven deploy and standalone tomcat instance.
Now everything works fine.  I suppose one of config classes that extended WebSecurityConfigurerAdapter overridden some configuration. In the future I'll spend more time to detect what was wrong.

Thank you for your help :)