Perhaps there should not be a redirect, but simply a page display. Especially no settings, nothing, I use Java based configuration:

@Configuration @EnableWebSecurity public class Security extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/**").authenticated() .and() .exceptionHandling().accessDeniedPage("/error"); } }

The / error page opens, everything is OK, access to all api / ** links is closed, but instead of a redirect to / error, I get the standard 403 Tomcat window.

 @Controller public class Pages { @RequestMapping("/error") public String index() { return "error"; } }

Moreover, if you specify the login page via .formLogin , then the redirect to the login page starts working. And if you specify my error in formLogin , everything will work. But not exceptionHandling .

    1 answer 1

    Understood. It was hard, because in the documentation the information was scattered chaotically and how many did not read, but still created a breakpoint and began to sort it out step by step, while looking into the dock.

    The reason was this. accessDeniedPage is opened when an AccessDeniedException (logical, isn't it?), which is thrown somewhere in the depth of the accessdecisionmanager object. That is, Authentication is already received here and all authentication objects are not in the business. The transition to the page is carried out when the User was successfully recognized by one of the AuthenticationProvider's chain in the AuthenticationManager , but the user did not have enough rights to access the page.

    But when there are no authentication sources (for example, a login + password for UsernamePasswordAuthentication or data in a cookie for RememberMe , whichever is included), BadCredentialsException , which is a descendant of AuthenticationException , BadCredentialsException . You need to process it separately using .authenticationEntryPoint(...) (who came up with this name? I personally don’t associate it at all with what I can use it for) instead of .accessDeniedPage(...) .