public void handle(
      HttpServletRequest request,
      HttpServletResponse response,
      AccessDeniedException accessDeniedException)
      throws IOException, ServletException {

    if (accessDeniedException instanceof CsrfException && !response.isCommitted()) {
      // Remove the session cookie so that client knows it's time to obtain a new CSRF token
      String pCookieName = "CSRF-TOKEN";
      Cookie cookie = new Cookie(pCookieName, "");
      cookie.setMaxAge(0);
      cookie.setHttpOnly(false);
      cookie.setPath("/");
      response.addCookie(cookie);
    }

    accessDeniedHandlerImpl.handle(request, response, accessDeniedException);
  }
Ejemplo n.º 2
0
 /** <security:access-denied-handler error-page="/denied"/> */
 @Bean
 public AccessDeniedHandler accessDeniedHandler() {
   AccessDeniedHandlerImpl adh = new AccessDeniedHandlerImpl();
   adh.setErrorPage("/denied");
   return adh;
 }
 /**
  * The error page to use. Must begin with a "/" and is interpreted relative to the current context
  * root.
  *
  * @param errorPage the dispatcher path to display
  * @throws IllegalArgumentException if the argument doesn't comply with the above limitations
  * @see AccessDeniedHandlerImpl#setErrorPage(String)
  */
 public void setErrorPage(String errorPage) {
   accessDeniedHandlerImpl.setErrorPage(errorPage);
 }