In last Spring security access control example, if non authorized user try to access a protected page, default “http 403 access denied” will be display :

demo page - access denied

In this tutorial, we show you two ways to customize above 403 access denied page in Spring security.

1. access-denied-handler

The easiest way is uses “access-denied-handler‘ tag, and put your 403 page in “error-page” attribute :

  <http auto-config="true">
	<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
	<access-denied-handler error-page="404"/>
  </http>

2. AccessDeniedHandler

In second way, create a class and implements Spring’s AccessDeniedHandler, override handle() method and put your access denied logic inside.

File : MyAccessDeniedHandler.java – Example is reference from here

package com.mkyong.common.handler;
 
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
 
public class MyAccessDeniedHandler implements AccessDeniedHandler {
	private String accessDeniedUrl;
 
	public MyAccessDeniedHandler() {
	}
 
	public MyAccessDeniedHandler(String accessDeniedUrl) {
		this.accessDeniedUrl = accessDeniedUrl;
	}
 
	@Override
	public void handle(HttpServletRequest request,
		HttpServletResponse response,
		AccessDeniedException accessDeniedException) throws IOException,
		ServletException {
 
	   response.sendRedirect(accessDeniedUrl);
	   request.getSession().setAttribute("message",
		"You do not have permission to access this page!");
 
	}
 
	public String getAccessDeniedUrl() {
		return accessDeniedUrl;
	}
 
	public void setAccessDeniedUrl(String accessDeniedUrl) {
		this.accessDeniedUrl = accessDeniedUrl;
	}
}

Declares above Spring bean

   <bean id="accessDeniedHandler" 
	class="com.mkyong.common.handler.MyAccessDeniedHandler">
	<property name="accessDeniedUrl" value="403" />
   </bean>
</div>
 
Spring security 
<pre lang="xml">
   <http auto-config="true">
	<intercept-url pattern="/admin*" access="ROLE_ADMIN" />
	<access-denied-handler ref="accessDeniedHandler"/>
   </http>

3. Demo

Assume below is your customized 403 page:

File : 403.jsp

<html>
<body>
	<h1>HTTP Status 403 - Access is denied</h1>
	<h3>Message : ${message}</h3>		
</body>
</html>

Now, if non authorized user is access the protected page, your customize 403 page will be displayed :

access denied custom page

Download Source Code

Download it – Spring-Security-Customized-403-Page-Example.zip (9 KB)
Note : You can find more similar articles at - Spring Security Tutorials
You might also like this tutorials :
JSF 2 Tutorials
Android Tutorials
JDBC Tutorials
Java I/O Tutorials
Apache Wicket Tutorials