Spring Security : Customize 403 access denied page

In this post , we will see how to customize 403 access denied page.
If user do not have access to page, then it will show default 403 page which will look like as below:
Spring security 403 access denied

You can customize 403 as below page:
Spring security 403 customize page

If you want to configure custom 403 access denied page, there are two ways to do it.
  • Using access-denied-handler error-page
  • Using AccessDeniedHandler ref

Using access-denied-handler error-page

You can put entry for attribute access-denied-handler in spring-security.xml as below.
 <http auto-config="true" use-expressions="true">
  <access-denied-handler error-page="/403" />
 ... other entries
so if user does not have access to page, it will be redirected to /403 and you can handle 403 in controller class as below:
 // for 403 access denied page
  @RequestMapping(value = "/403", method = RequestMethod.GET)
  public ModelAndView accesssDenied(Principal user) {

   ModelAndView model = new ModelAndView();
   if (user != null) {
    model.addObject("msg", "Hi " + user.getName()
    + ", You can not access this page!");
   } else {
    "You can not access this page!");

   return model;
We can create 403.jsp as below:
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>  
 <h1>HTTP Status 403 - Access is denied</h1>
<c:url value="/j_spring_security_logout" var="logoutUrl" />
<a href="${logoutUrl}">Log Out</a>
Please refer to Spring security database authentication for spring-security.xml and other files.
Using AccessDeniedHandler ref:
You can also use AccessDeniedHandler to handle 403 access denied page.
package org.arpit.java2blog.handler;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;

public class CustomAccessDeniedHandler implements AccessDeniedHandler {

 private String errorPage;

 public CustomAccessDeniedHandler() {

 public CustomAccessDeniedHandler(String errorPage) {
  this.errorPage = errorPage;

 public String getErrorPage() {
  return errorPage;

 public void setErrorPage(String errorPage) {
  this.errorPage = errorPage;

 public void handle(HttpServletRequest request, HttpServletResponse response,
  AccessDeniedException accessDeniedException)
                throws IOException, ServletException {

  //You can redirect to errorpage
You need to add ref in http tag in spring-security.xml.
 <http auto-config="true" use-expressions="true">
  <access-denied-handler ref=custom403 />
<beans:bean id="custom403"
<beans:property name="errorPage" value="403" />
... other entries

Download source code:

click to begin
20KB .zip

Written by Arpit:

If you have read the post and liked it. Please connect with me on Facebook | Twitter | Google Plus


Java tutorial for beginners Copyright © 2012