Throw an exception instead of sending back a HTTP error code. This is necessary so any demonstration of upgrading from Servlet Spec authorization to Spring Security authorization, as the latter's ExceptionTranslationFilter expects specific exceptions to be thrown if you wish to commence the authentication process.
This commit is contained in:
parent
2e4773525b
commit
55e4568003
|
@ -3,6 +3,7 @@ package bigbank.web;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.security.AuthenticationCredentialsNotFoundException;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
import org.springframework.web.servlet.mvc.Controller;
|
||||
|
@ -21,8 +22,7 @@ public class ListAccounts implements Controller {
|
|||
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
// Security check (this is unnecessary if Spring Security is performing the authorization)
|
||||
// if (request.getUserPrincipal() == null) {
|
||||
// response.sendError(HttpServletResponse.SC_FORBIDDEN, "You must login to view the account list");
|
||||
// return null;
|
||||
// throw new AuthenticationCredentialsNotFoundException("You must login to view the account list (Spring Security message)"); // only for Spring Security managed authentication
|
||||
// }
|
||||
|
||||
// Actual business logic
|
||||
|
|
|
@ -3,6 +3,7 @@ package bigbank.web;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.springframework.security.AccessDeniedException;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.bind.ServletRequestUtils;
|
||||
import org.springframework.web.servlet.ModelAndView;
|
||||
|
@ -22,9 +23,8 @@ public class PostAccounts implements Controller {
|
|||
|
||||
public ModelAndView handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||
// Security check (this is unnecessary if Spring Security is performing the authorization)
|
||||
// if (request.isUserInRole("ROLE_TELLER")) {
|
||||
// response.sendError(HttpServletResponse.SC_FORBIDDEN, "You must be a teller to post transactions");
|
||||
// return null;
|
||||
// if (!request.isUserInRole("ROLE_TELLER")) {
|
||||
// throw new AccessDeniedException("You must be a teller to post transactions (Spring Security message)"); // only for Spring Security managed authentication
|
||||
// }
|
||||
|
||||
// Actual business logic
|
||||
|
|
Loading…
Reference in New Issue