diff --git a/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java b/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java index 42085462b3..2af0a9fc10 100644 --- a/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java +++ b/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java @@ -54,20 +54,23 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler { //~ Methods ======================================================================================================== public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException) - throws IOException, ServletException { - if (errorPage != null) { - // Put exception into request scope (perhaps of use to a view) - ((HttpServletRequest) request).setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, - accessDeniedException); - - // Perform RequestDispatcher "forward" - RequestDispatcher rd = request.getRequestDispatcher(errorPage); - rd.forward(request, response); - } - + throws IOException, ServletException { if (!response.isCommitted()) { - // Send 403 (we do this after response has been written) - ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage()); + if (errorPage != null) { + // Put exception into request scope (perhaps of use to a view) + request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, accessDeniedException); + + // Set the 403 status code. + HttpServletResponse resp = (HttpServletResponse) response; + resp.setStatus(HttpServletResponse.SC_FORBIDDEN); + + // forward to error page. + RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage); + dispatcher.forward(request, response); + } else { + HttpServletResponse resp = (HttpServletResponse) response; + resp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage()); + } } }