Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-996: AccessDeniedhandlerimpl doesn't write response code if used with errorPage 

Applied supplied patch which checks the committed flag before forwarding to the error page.
This commit is contained in:
Luke Taylor 2008-12-10 12:36:59 +00:00
parent 7fe6a0fc0d
commit acfcac4594
1 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java
View File

@ -54,20 +54,23 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
//~ Methods ======================================================================================================== //~ Methods ========================================================================================================
public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException) public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException { throws IOException, ServletException {
if (errorPage != null) {
// Put exception into request scope (perhaps of use to a view)
((HttpServletRequest) request).setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
accessDeniedException);
// Perform RequestDispatcher "forward"
RequestDispatcher rd = request.getRequestDispatcher(errorPage);
rd.forward(request, response);
}
if (!response.isCommitted()) { if (!response.isCommitted()) {
// Send 403 (we do this after response has been written) if (errorPage != null) {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage()); // Put exception into request scope (perhaps of use to a view)
request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, accessDeniedException);
// Set the 403 status code.
HttpServletResponse resp = (HttpServletResponse) response;
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
// forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response);
} else {
HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
} }
} }