public void handle(
HttpServletRequest request,
HttpServletResponse response,
AccessDeniedException accessDeniedException)
throws IOException, ServletException {
if (accessDeniedException instanceof CsrfException && !response.isCommitted()) {
// Remove the session cookie so that client knows it's time to obtain a new CSRF token
String pCookieName = "CSRF-TOKEN";
Cookie cookie = new Cookie(pCookieName, "");
cookie.setMaxAge(0);
cookie.setHttpOnly(false);
cookie.setPath("/");
response.addCookie(cookie);
}
accessDeniedHandlerImpl.handle(request, response, accessDeniedException);
}
/** <security:access-denied-handler error-page="/denied"/> */
@Bean
public AccessDeniedHandler accessDeniedHandler() {
AccessDeniedHandlerImpl adh = new AccessDeniedHandlerImpl();
adh.setErrorPage("/denied");
return adh;
}
/**
* The error page to use. Must begin with a "/" and is interpreted relative to the current context
* root.
*
* @param errorPage the dispatcher path to display
* @throws IllegalArgumentException if the argument doesn't comply with the above limitations
* @see AccessDeniedHandlerImpl#setErrorPage(String)
*/
public void setErrorPage(String errorPage) {
accessDeniedHandlerImpl.setErrorPage(errorPage);
}
