Spring Security: Allow page views for all Fully Authenticated users, unless they have a specific role.

Question

I'm using Spring 3.0.3 with Spring Security.

So, I have fairly lenient restrictions on an app I'm making. I only want to make sure that a person can log in and be authenticated in order to view the app. I don't want to grant roles to every potential user of this app (could be in the 10s of thousands).

So, it's been fine to use:

<security:intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="https"/>

But now I want to be able to restrict people from using the app if I need to, so I created a role called ROLE_BANNED in the hopes that I could just assign roles to those people being problems.

So, now I'm trying this:

<security:intercept-url pattern="/**" access="isFullyAuthenticated() and not hasRole('ROLE_BANNED')" requires-channel="https"/>

This seemed to work at first, but it can't load my denied page. I believe that it is restricting access to the denied page. I can't load the denied page through the controller or as a jsp in WEB-INF.

Can someone show me how to allow authenticated users to access all of my app and send people with a specific role (ROLE_BANNED) to the denied page?

EDIT Here is my whole security:http setup:

<security:http auto-config="true" access-denied-page="/denied" entry-point-ref="casAuthenticationEntryPoint" use-expressions="true">
    <security:intercept-url pattern="/**" access="isFullyAuthenticated() and not hasRole('ROLE_BANNED')" requires-channel="https"/>
    <security:intercept-url pattern="/denied" access="IS_AUTHENTICATED_FULLY" filters="none" />

    <security:logout logout-url="/logout" logout-success-url="${cas.logoutUrl}" />
    <security:session-management session-fixation-protection="none" />
    <security:custom-filter after="CAS_FILTER" ref="casAuthenticationFilter"/>
    <security:custom-filter before="CHANNEL_FILTER" ref="channelProcessingFilter" />
    <security:port-mappings>
        <security:port-mapping http="80" https="443" />
    </security:port-mappings>
</security:http>

I have tried using a controller mapped denied page (/denied), a jsp page (/denied.jsp) and even a simple html page (/denied.html), but I get a 404 for every single one. I don't see anything in the log files when this occurs.

Answer 1

As you said, I think you just need to make your "denied" page not require any security to access, so just add an intercept-url for that specific page...

This example is with Spring Security 2, but it should translate...

<intercept-url pattern="/denied.html" access="IS_AUTHENTICATED_ANONYMOUSLY" filters="none" />

Edit:

You'll probably also need to make your javascript, css, images, etc, also have a similar exemption from the security restrictions otherwise your page will not load up anything other than the plain text.