Add the AccessDeniedException to the HttpSession as per http://forum.springframework.org/viewtopic.php?t=1515.

This commit is contained in:
Ben Alex 2004-10-30 03:06:05 +00:00
parent 21f29bbbb3
commit 26f5f1a9b3
3 changed files with 18 additions and 5 deletions

View File

@ -6,6 +6,7 @@ Changes in version 0.7 (2004-xx-xx)
* Added MethodDefinitionSourceAdvisor for performance and autoproxying
* Added MethodDefinitionMap querying of interfaces defined by secure objects
* Added AuthenticationProcessingFilter.setDetails for use by subclasses
* Added 403-causing exception to HttpSession via SecurityEnforcementFilter
* Refactored MethodDefinitionSource to work with Method, not MethodInvocation
* Refactored AbstractSecurityInterceptor to better support other AOP libraries
* Fixed AbstractProcessingFitler to use removeAttribute (JRun compatibility)

View File

@ -54,10 +54,13 @@ import javax.servlet.http.HttpServletResponse;
* </p>
*
* <p>
* If an {@link AccessDeniedException} is detected, the filter will response
* with a <code>HttpServletResponse.SC_FORBIDDEN</code> (403 error). Again,
* this allows common access denied handling irrespective of the originating
* security interceptor.
* If an {@link AccessDeniedException} is detected, the filter will respond
* with a <code>HttpServletResponse.SC_FORBIDDEN</code> (403 error). In
* addition, the <code>AccessDeniedException</code> itself will be placed in
* the <code>HttpSession</code> attribute keyed against {@link
* #ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY} (to allow access to the stack
* trace etc). Again, this allows common access denied handling irrespective
* of the originating security interceptor.
* </p>
*
* <p>
@ -96,6 +99,7 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
//~ Static fields/initializers =============================================
private static final Log logger = LogFactory.getLog(SecurityEnforcementFilter.class);
public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";
//~ Instance fields ========================================================
@ -202,6 +206,8 @@ public class SecurityEnforcementFilter implements Filter, InitializingBean {
"Access is denied - sending back forbidden response");
}
((HttpServletRequest) request).getSession().setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
accessDenied);
sendAccessDeniedError(request, response);
} catch (Throwable otherException) {
throw new ServletException(otherException);

View File

@ -32,6 +32,7 @@ import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpSession;
/**
@ -64,8 +65,9 @@ public class SecurityEnforcementFilterTests extends TestCase {
public void testAccessDeniedWhenAccessDeniedException()
throws Exception {
// Setup our HTTP request
HttpSession session = new MockHttpSession();
MockHttpServletRequest request = new MockHttpServletRequest(null,
new MockHttpSession());
session);
request.setServletPath("/secure/page.html");
// Setup our expectation that the filter chain will not be invoked, as access is denied
@ -84,6 +86,10 @@ public class SecurityEnforcementFilterTests extends TestCase {
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, chain);
assertEquals(403, response.getError());
assertEquals(AccessDeniedException.class,
session.getAttribute(
SecurityEnforcementFilter.ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY)
.getClass());
}
public void testDoFilterWithNonHttpServletRequestDetected()