From acfcac45944ec5d01eb3fa0fbae04010e1c07b64 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 10 Dec 2008 12:36:59 +0000 Subject: [PATCH] SEC-996: AccessDeniedhandlerimpl doesn't write response code if used with errorPage Applied supplied patch which checks the committed flag before forwarding to the error page. --- .../security/ui/AccessDeniedHandlerImpl.java | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java b/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java index 42085462b3..2af0a9fc10 100644 --- a/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java +++ b/core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java @@ -54,20 +54,23 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler { //~ Methods ======================================================================================================== public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException) - throws IOException, ServletException { - if (errorPage != null) { - // Put exception into request scope (perhaps of use to a view) - ((HttpServletRequest) request).setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, - accessDeniedException); - - // Perform RequestDispatcher "forward" - RequestDispatcher rd = request.getRequestDispatcher(errorPage); - rd.forward(request, response); - } - + throws IOException, ServletException { if (!response.isCommitted()) { - // Send 403 (we do this after response has been written) - ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage()); + if (errorPage != null) { + // Put exception into request scope (perhaps of use to a view) + request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, accessDeniedException); + + // Set the 403 status code. + HttpServletResponse resp = (HttpServletResponse) response; + resp.setStatus(HttpServletResponse.SC_FORBIDDEN); + + // forward to error page. + RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage); + dispatcher.forward(request, response); + } else { + HttpServletResponse resp = (HttpServletResponse) response; + resp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage()); + } } }