<access-denied-handler>
can't be placed inside <filter-invocation-definition-source>
. You have to create an exceptionTranslator
:
<bean id="exceptionTranslator" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login" />
</property>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl"
p:errorPage="/accessDenied" />
</property>
</bean>
and wire it into your filterChainProxy
<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map request-matcher="ant">
<sec:filter-chain pattern="/**"
filters="casAuthenticationFilter, casValidationFilter, wrappingFilter, sif, j2eePreAuthFilter, logoutFilter,
exceptionTranslator,
fsi" />
</sec:filter-chain-map>
</bean>