New access denied message.

src/main/java/eu/hbp/mip/configuration/SecurityConfiguration.java

 package eu.hbp.mip.configuration;
 
 import eu.hbp.mip.model.UserInfo;
-import eu.hbp.mip.utils.CORSFilter;
-import eu.hbp.mip.utils.CustomLoginUrlAuthenticationEntryPoint;
-import eu.hbp.mip.utils.HTTPUtil;
-import eu.hbp.mip.utils.UserActionLogging;
+import eu.hbp.mip.utils.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -17,7 +14,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.*;
-import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
@@ -40,8 +36,6 @@ import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
-import org.springframework.web.bind.annotation.ControllerAdvice;
-import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.WebUtils;
@@ -111,15 +105,6 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
     @Value("#{'${hbp.resource.revokeTokenUri:https://services.humanbrainproject.eu/oidc/revoke}'}")
     private String revokeTokenURI;
 
-    @ControllerAdvice
-    class AccessDeniedExceptionHandler {
-
-        @ExceptionHandler(value = AccessDeniedException.class)
-        public void handleConflict(HttpServletResponse response) throws IOException {
-            response.sendError(403, "Access is denied. Please contact the system administrator to request access.");
-        }
-    }
-
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         disableCertificateValidation();
@@ -137,6 +122,7 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
                     //.anyRequest().authenticated()
                     .anyRequest().hasRole("Researcher")
                     .and().exceptionHandling().authenticationEntryPoint(new CustomLoginUrlAuthenticationEntryPoint(loginUrl))
+                    .accessDeniedHandler(new CustomAccessDeniedHandler())
                     .and().logout().addLogoutHandler(authLogoutHandler()).logoutSuccessUrl(redirectAfterLogoutUrl)
                     .and().logout().permitAll()
                     .and().csrf().ignoringAntMatchers("/logout").csrfTokenRepository(csrfTokenRepository())

src/main/java/eu/hbp/mip/controllers/ExperimentApi.java

@@ -64,7 +64,7 @@ public class ExperimentApi {
     @Value("#{'${services.workflows.workflowUrl}'}")
     private String workflowUrl;
 
-    @Value("#{'${services.workflows.jwtSecret}'}")Α
+    @Value("#{'${services.workflows.jwtSecret}'}")
     private String jwtSecret;
 
     @Value("#{'${services.galaxy.galaxyUrl}'}")

src/main/java/eu/hbp/mip/controllers/SecurityApi.java

@@ -5,20 +5,19 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import eu.hbp.mip.configuration.SecurityConfiguration;
-import org.springframework.beans.factory.annotation.Value;
 import eu.hbp.mip.model.User;
 import eu.hbp.mip.model.UserInfo;
 import eu.hbp.mip.repositories.UserRepository;
+import eu.hbp.mip.utils.UserActionLogging;
 import io.swagger.annotations.ApiParam;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
-import eu.hbp.mip.utils.UserActionLogging;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
@@ -45,8 +44,8 @@ public class SecurityApi {
     @RequestMapping(path = "/user", method = RequestMethod.GET)
     public Object user(Principal principal, HttpServletResponse response) {
         ObjectMapper mapper = new ObjectMapper();
-		
-		UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get user from /user","");
+
+        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get user from /user", "");
         try {
             String userJSON = mapper.writeValueAsString(userInfo.getUser());
             Cookie cookie = new Cookie("user", URLEncoder.encode(userJSON, "UTF-8"));
@@ -77,9 +76,9 @@ public class SecurityApi {
             user.setAgreeNDA(agreeNDA);
             userRepository.save(user);
         }
-		
-		UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "user agreeNDA","");
-		
+
+        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "user agreeNDA", "");
+
         return new ResponseEntity<>(HttpStatus.NO_CONTENT);
     }
 
@@ -106,16 +105,15 @@ public class SecurityApi {
      */
 
     @RequestMapping(path = "/galaxy", method = RequestMethod.GET, produces = "application/json")
-	@PreAuthorize("hasRole('Data Manager')")
+    @PreAuthorize("hasRole('Data Manager')")
     @ResponseStatus(value = HttpStatus.OK)
-    public ResponseEntity getGalaxyConfiguration(){
+    public ResponseEntity getGalaxyConfiguration() {
         String stringEncoded = Base64.getEncoder().encodeToString((galaxyUsername + ":" + galaxyPassword).getBytes());
         JsonObject object = new JsonObject();
         object.addProperty("authorization", stringEncoded);
         object.addProperty("context", galaxyContext);
-		UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get galaxy information","");
-		
+        UserActionLogging.LogUserAction(userInfo.getUser().getUsername(), "get galaxy information", "");
+
         return ResponseEntity.ok(gson.toJson(object));
     }
-
 }

src/main/java/eu/hbp/mip/utils/CustomAccessDeniedHandler.java

+package eu.hbp.mip.utils;
+
+import org.codehaus.jettison.json.JSONException;
+import org.codehaus.jettison.json.JSONObject;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.sql.Timestamp;
+
+public class CustomAccessDeniedHandler implements AccessDeniedHandler {
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response,
+                       AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        response.setContentType("application/json;charset=UTF-8");
+        response.setStatus(403);
+        try {
+            response.getWriter().write(new JSONObject()
+                    .put("timestamp", new Timestamp(System.currentTimeMillis()))
+                    .put("status", 403)
+                    .put("error", "Forbidden")
+                    .put("message", "Access Denied. Please contact the system administrator to request access.")
+                    .put("path", request.getServletPath())
+                    .toString());
+        } catch (JSONException e) {
+            response.getWriter().write("");
+            e.printStackTrace();
+        }
+    }
+}