The Access denied exception There was an unexpected error (type=Forbidden, status=403). Access Denied is a common exception seen in the browser when you access the url of the spring boot application. As stated, due to the restriction of access to the url, it refuses to serve you because you do not have enough access to the server.

You do not have enough permission to access the page, or you have limited permission to access this page. If access permission is set in the spring boot security configuration, this error will be fixed.

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sat Feb 01 17:14:58 IST 2020
There was an unexpected error (type=Forbidden, status=403).
Access Denied


Root Cause

If the security module is configured in your spring boot application, the web url must be allowed to access it. If the web url is accessed without sufficient permission, the forbidden error with the http error code 403 will be shown in the browser. The Spring Boot Security Module secures page level access to the respective roles configured for the spring boot application.

If a web url is called without sufficient permission, the above error message will be shown as a response from the spring boot application server.



How to reproduce this issue

The spring boot application is configured with security module in pom.xml file. The page level security is not configured in the security configuration java class. The security configuration class is created by the extension of the WebSecurityConfigurerAdapter class.

This issue will be reproduced in the example below. Configure the spring boot application as below and invoke any page url from the browser to display this error message.

pom.xml

		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-security</artifactId>
		</dependency>
package com.yawintutor;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SpringBootSecurityConfiguration extends WebSecurityConfigurerAdapter {

	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		  auth.inMemoryAuthentication()
		  .withUser("user").password("{noop}password").roles("USER") .and()
		  .withUser("admin").password("{noop}password").roles("ADMIN");
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http 
			.csrf() 
			.disable()
			.authorizeRequests()
			.anyRequest().authenticated();
	}
}


Solution 1

In the spring boot security configuration file, add the appropriate page level access permission, and restart the application will resolve this issue. If you are not sure about permission, please add the code below.

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http 
			.csrf() 
			.disable()
			.authorizeRequests()
			.antMatchers("/**").permitAll()
			.anyRequest().authenticated();
	}

The complete java code is as shown below with page level permission.

package com.yawintutor;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SpringBootSecurityConfiguration extends WebSecurityConfigurerAdapter {

	@Override
	public void configure(AuthenticationManagerBuilder auth) throws Exception {
		  auth.inMemoryAuthentication()
		  .withUser("user").password("{noop}password").roles("USER") .and()
		  .withUser("admin").password("{noop}password").roles("ADMIN");
	}

	@Override
	public void configure(HttpSecurity http) throws Exception {
		http 
			.csrf() 
			.disable()
			.authorizeRequests()
			.antMatchers("/", "/home","/guest").permitAll() 
			.antMatchers("/admin/**").hasAnyRole("ADMIN")
			.antMatchers("/user/**").hasAnyRole("USER")
			.anyRequest().authenticated();
	}
}


Solution 2

If the user access a web page that is unauthorized to access, then this error occurs. This could be a valid scenario. You can customize the error message as shown in this link Spring Boot Security Step by Step 6.

The customized unauthorized access denied error message will show the user with a informative error message.



Solution 3

If you still have issue in spring boot security, please follow the below step by step procedure to fix the issue



Leave a Reply