Examples of org.springframework.security.access.AccessDeniedException

• org.springframework.security.access.AccessDeniedException
  Thrown if an {@link org.springframework.security.core.Authentication Authentication} object does not hold arequired authority. @author Ben Alex

    @Test
    public void testHandleAccessDeniedException() {
        Principal principal = createMock(Principal.class);
        request.setUserPrincipal(principal);
        AccessDeniedException ade = new AccessDeniedException("error");

        expect(principal.getName()).andReturn("theuser");
        replay(principal);
        abstractRestApiImpl.handleAccessDeniedException(ade, request, response);
        assertThat(response.getStatus(), is(HttpStatus.FORBIDDEN.value()));

    UsernamePasswordAuthenticationToken authentication = (UsernamePasswordAuthenticationToken)message.getHeaders().get(SimpMessageHeaderAccessor.USER_HEADER);
    String destination = (String)message.getHeaders().get(SimpMessageHeaderAccessor.DESTINATION_HEADER);
    if((destination == null) || isAllowed(destination, authentication.getName())) {
      return message;
    }
    throw new AccessDeniedException("Message to destination " + destination + " not allowed for user " + authentication.getName());

  }

        .getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) : null;
    String errmsg = "";
    if (ae != null) {
      errmsg = ae.getMessage();
    } else {
      AccessDeniedException accessDenied = (AccessDeniedException) request
          .getAttribute(WebAttributes.ACCESS_DENIED_403);
      if (accessDenied != null) {
        errmsg = CapAppContext.getMessage("AccessCheck.AccessDenied",
            locale) + errmsg;
      }

        grant++;

        break;

      case AccessDecisionVoter.ACCESS_DENIED:
        throw new AccessDeniedException(messages.getMessage(
            "AbstractAccessDecisionManager.accessDenied",
            "Access is denied"));

      default:
        abstain++;

        break;
      }
    }

    // To get this far, there were no deny votes
    if (grant > 0) {
      return;
    } else if (abstain > 0) {
      throw new AccessDeniedException(messages.getMessage(
          "AbstractAccessDecisionManager.accessDenied",
          "Access is denied"));
    }

  }// ;

            if (isAdd(request) || request.getParameter("id") != null) {
                response.sendError(HttpServletResponse.SC_FORBIDDEN);
                log.warn("User '" + request.getRemoteUser() + "' is trying to edit user with id '" +
                         request.getParameter("id") + "'");

                throw new AccessDeniedException("You do not have permission to modify other users.");
            }
        }

        if (!isFormSubmission(request)) {
            String userId = request.getParameter("id");

            if (!signupUser) {
                User currentUser = getCurrentUser(auth);

                if (user.getId() != null && !user.getId().equals(currentUser.getId()) && !administrator) {
                    log.warn("Access Denied: '" + currentUser.getUsername() + "' tried to modify '" + user.getUsername() + "'!");
                    throw new AccessDeniedException(ACCESS_DENIED);
                } else if (user.getId() != null && user.getId().equals(currentUser.getId()) && !administrator) {
                    // get the list of roles the user is trying add
                    Set<String> userRoles = new HashSet<String>();
                    if (user.getRoles() != null) {
                        for (Object o : user.getRoles()) {
                            Role role = (Role) o;
                            userRoles.add(role.getName());
                        }
                    }

                    // get the list of roles the user currently has
                    Set<String> authorizedRoles = new HashSet<String>();
                    for (GrantedAuthority role : roles) {
                        authorizedRoles.add(role.getAuthority());
                    }

                    // if they don't match - access denied
                    // regular users aren't allowed to change their roles
                    if (!CollectionUtils.isEqualCollection(userRoles, authorizedRoles)) {
                        log.warn("Access Denied: '" + currentUser.getUsername() + "' tried to change their role(s)!");
                        throw new AccessDeniedException(ACCESS_DENIED);
                    }
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Registering new user '" + user.getUsername() + "'");

        if (auth.getPrincipal() instanceof UserDetails) {
            currentUser = (User) auth.getPrincipal();
        } else if (auth.getDetails() instanceof UserDetails) {
            currentUser = (User) auth.getDetails();
        } else {
            throw new AccessDeniedException("User not properly authenticated.");
        }
        return currentUser;
    }

                return;
              }
            }

          }
          throw new AccessDeniedException("Acceso Denegado ("+object+")");
        }

  @Test
  public void testAuthenticationSuccess() {
    this.listener.onApplicationEvent(new AuthorizationFailureEvent(this, Arrays
        .<ConfigAttribute> asList(new SecurityConfig("USER")),
        new UsernamePasswordAuthenticationToken("user", "password"),
        new AccessDeniedException("Bad user")));
    verify(this.publisher).publishEvent((ApplicationEvent) anyObject());
  }

  private void checkResourceOwner(String user, Principal principal) {
    if (principal instanceof OAuth2Authentication) {
      OAuth2Authentication authentication = (OAuth2Authentication) principal;
      if (!authentication.isClientOnly() && !user.equals(principal.getName())) {
        throw new AccessDeniedException(String.format("User '%s' cannot obtain tokens for user '%s'",
            principal.getName(), user));
      }
    }
  }