SEC-257: ExceptionTranslationFilter to use AccessDeniedHandler.

2006-04-28 06:52:50 +00:00 · 2006-04-28 06:52:50 +00:00 · cc07f620df
parent 9a90e4e1aa
commit cc07f620df
8 changed files with 195 additions and 37 deletions
--- a/core/src/main/java/org/acegisecurity/ui/AccessDeniedHandler.java
+++ b/core/src/main/java/org/acegisecurity/ui/AccessDeniedHandler.java
@ -0,0 +1,50 @@
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.acegisecurity.ui;
+
+import org.acegisecurity.AccessDeniedException;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+
+/**
+ * Used by {@link ExceptionTranslationFilter} to handle an
+ * <code>AccessDeniedException</code>.
+ *
+ * @author Ben Alex
+ * @version $Id$
+ */
+public interface AccessDeniedHandler {
+    //~ Methods ================================================================
+
+    /**
+     * Handles an access denied failure.
+     *
+     * @param request that resulted in an <code>AccessDeniedException</code>
+     * @param response so that the user agent can be advised of the failure
+     * @param accessDeniedException that caused the invocation
+     *
+     * @throws IOException in the event of an IOException
+     * @throws ServletException in the event of a ServletException
+     */
+    public void handle(ServletRequest request, ServletResponse response,
+        AccessDeniedException accessDeniedException)
+        throws IOException, ServletException;
+}
--- a/core/src/main/java/org/acegisecurity/ui/AccessDeniedHandlerImpl.java
+++ b/core/src/main/java/org/acegisecurity/ui/AccessDeniedHandlerImpl.java
@ -0,0 +1,106 @@
+/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.acegisecurity.ui;
+
+import org.acegisecurity.AccessDeniedException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import java.io.IOException;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+
+/**
+ * Base implementation of {@link AccessDeniedHandler}.
+ * 
+ * <p>
+ * This implementation sends a 403 (SC_FORBIDDEN) HTTP error code. In addition,
+ * if a {@link #errorPage} is defined, the implementation will perform a
+ * request dispatcher "forward" to the specified error page view. Being a
+ * "forward", the <code>SecurityContextHolder</code> will remain populated.
+ * This is of benefit if the view (or a tag library or macro) wishes to access
+ * the <code>SecurityContextHolder</code>. The request scope will also be
+ * populated with the exception itself, available from the key {@link
+ * #ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY}.
+ * </p>
+ *
+ * @author Ben Alex
+ * @version $Id$
+ */
+public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
+    //~ Static fields/initializers =============================================
+
+    public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";
+    protected final static Log logger = LogFactory.getLog(AccessDeniedHandlerImpl.class);
+
+    //~ Instance fields ========================================================
+
+    private String errorPage;
+
+    //~ Methods ================================================================
+
+    public void handle(ServletRequest request, ServletResponse response,
+        AccessDeniedException accessDeniedException)
+        throws IOException, ServletException {
+        if (errorPage != null) {
+            // Put exception into request scope (perhaps of use to a view)
+            ((HttpServletRequest) request).setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
+                accessDeniedException);
+
+            // Perform RequestDispatcher "forward"
+            RequestDispatcher rd = request.getRequestDispatcher(errorPage);
+
+            try {
+                rd.forward(request, response);
+                ((HttpServletResponse)response).setStatus(HttpServletResponse.SC_FORBIDDEN);
+                return;
+            } catch (Exception responseCommitted) {
+                if (logger.isErrorEnabled()) {
+                    logger.error("Error processing " + request.toString(),
+                        responseCommitted);
+                }
+            }
+        }
+
+        // Send 403 (we do this after response has been written)
+        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
+            accessDeniedException.getMessage());
+    }
+
+    /**
+     * The error page to use. Must begin with a "/" and is interpreted relative
+     * to the current context root.
+     *
+     * @param errorPage the dispatcher path to display
+     *
+     * @throws IllegalArgumentException if the argument doesn't comply with the
+     *         above limitations
+     */
+    public void setErrorPage(String errorPage) {
+        if ((errorPage != null) && !errorPage.startsWith("/")) {
+            throw new IllegalArgumentException("ErrorPage must begin with '/'");
+        }
+
+        this.errorPage = errorPage;
+    }
+}
--- a/core/src/main/java/org/acegisecurity/ui/ExceptionTranslationFilter.java
+++ b/core/src/main/java/org/acegisecurity/ui/ExceptionTranslationFilter.java
@ -69,13 +69,9 @@ import javax.servlet.http.HttpServletResponse;
 * If an {@link AccessDeniedException} is detected, the filter will determine
 * whether or not the user is an anonymous user. If they are an anonymous
 * user, the <code>authenticationEntryPoint</code> will be launched. If they
- * are not an anonymous user, the filter will respond with a
- * <code>HttpServletResponse.SC_FORBIDDEN</code> (403 error).  In addition,
- * the <code>AccessDeniedException</code> itself will be placed in the
- * <code>HttpSession</code> attribute keyed against {@link
- * #ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY} (to allow access to the stack
- * trace etc). Again, this allows common access denied handling irrespective
- * of the originating security interceptor.
+ * are not an anonymous user, the filter will delegate to the {@link
+ * org.acegisecurity.ui.AccessDeniedHandler}. By default the filter will use
+ * {@link org.acegisecurity.ui.AccessDeniedHandlerImpl}.
 * </p>
 * 
 * <p>
@ -109,10 +105,10 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean {
    //~ Static fields/initializers =============================================

    private static final Log logger = LogFactory.getLog(ExceptionTranslationFilter.class);
-    public static final String ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY = "ACEGI_SECURITY_403_EXCEPTION";

    //~ Instance fields ========================================================

+    private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
    private AuthenticationEntryPoint authenticationEntryPoint;
    private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
    private PortResolver portResolver = new PortResolverImpl();
@ -199,11 +195,11 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean {
                        "Full authentication is required to access this resource"));
            } else {
                if (logger.isDebugEnabled()) {
-                    logger.debug("Access is denied (user is not anonymous); sending back forbidden response",
+                    logger.debug("Access is denied (user is not anonymous); delegating to AccessDeniedHandler",
                        exception);
                }

-                sendAccessDeniedError(request, response, chain,
+                accessDeniedHandler.handle(request, response,
                    (AccessDeniedException) exception);
            }
        }
@ -231,20 +227,6 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean {
        return createSessionAllowed;
    }

-    protected void sendAccessDeniedError(ServletRequest request,
-        ServletResponse response, FilterChain chain,
-        AccessDeniedException accessDenied)
-        throws ServletException, IOException {
-        if (createSessionAllowed) {
-            ((HttpServletRequest) request).getSession()
-             .setAttribute(ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
-                accessDenied);
-        }
-
-        ((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN,
-            accessDenied.getMessage()); // 403
-    }
-
    protected void sendStartAuthentication(ServletRequest request,
        ServletResponse response, FilterChain chain,
        AuthenticationException reason) throws ServletException, IOException {
@ -274,6 +256,11 @@ public class ExceptionTranslationFilter implements Filter, InitializingBean {
            (HttpServletResponse) response, reason);
    }

+    public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) {
+        Assert.notNull(accessDeniedHandler, "AccessDeniedHandler required");
+        this.accessDeniedHandler = accessDeniedHandler;
+    }
+
    public void setAuthenticationEntryPoint(
        AuthenticationEntryPoint authenticationEntryPoint) {
        this.authenticationEntryPoint = authenticationEntryPoint;
--- a/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java
+++ b/core/src/test/java/org/acegisecurity/ui/ExceptionTranslationFilterTests.java
@ -113,17 +113,22 @@ public class ExceptionTranslationFilterTests extends TestCase {
        // Setup SecurityContextHolder, as filter needs to check if user is anonymous
        SecurityContextHolder.getContext().setAuthentication(null);

+        // Setup a new AccessDeniedHandlerImpl that will do a "forward"
+        AccessDeniedHandlerImpl adh = new AccessDeniedHandlerImpl();
+        adh.setErrorPage("/error.jsp");
+
        // Test
        ExceptionTranslationFilter filter = new ExceptionTranslationFilter();
        filter.setAuthenticationEntryPoint(new MockAuthenticationEntryPoint(
                "/login.jsp"));
+        filter.setAccessDeniedHandler(adh);

        MockHttpServletResponse response = new MockHttpServletResponse();
        filter.doFilter(request, response, chain);
        assertEquals(403, response.getStatus());
        assertEquals(AccessDeniedException.class,
-            request.getSession()
-                   .getAttribute(ExceptionTranslationFilter.ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY)
+            request.getAttribute(
+                AccessDeniedHandlerImpl.ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY)
                   .getClass());
    }

--- a/doc/xdocs/upgrade/upgrade-090-100.html
+++ b/doc/xdocs/upgrade/upgrade-090-100.html
@ -82,6 +82,10 @@ applications:
    has changed it signature (SEC-238). If subclassing, please override the new signature.
 	</li>
 	
+	<li>
+	ExceptionTranslationFilter no longer provides a sendAccessDenied() method. Use the
+	new AccessDeniedHandler instead if custom handling is required.
+	</li>
 	
    </ul>

--- a/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml
+++ b/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml
@ -99,11 +99,6 @@
 		<welcome-file>index.jsp</welcome-file>
 	</welcome-file-list>

-	<error-page>
-		<error-code>403</error-code>
-		<location>/error.html</location>
-	</error-page>
-
  	<taglib>
      <taglib-uri>/spring</taglib-uri>
      <taglib-location>/WEB-INF/spring.tld</taglib-location>
--- a/samples/contacts/src/main/webapp/filter/accessDenied.jsp
+++ b/samples/contacts/src/main/webapp/filter/accessDenied.jsp
@ -0,0 +1,16 @@
+<%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
+<%@ page import="org.acegisecurity.Authentication" %>
+<%@ page import="org.acegisecurity.ui.AccessDeniedHandlerImpl" %>
+
+<h1>Sorry, access is denied</h1>
+
+
+<p>
+<%= request.getAttribute(AccessDeniedHandlerImpl.ACEGI_SECURITY_ACCESS_DENIED_EXCEPTION_KEY)%>
+
+<p>
+
+<%		Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+		if (auth != null) { %>
+			Authentication object as a String: <%= auth.toString() %><BR><BR>
+<%      } %>
--- a/samples/contacts/src/main/webapp/filter/error.html
+++ b/samples/contacts/src/main/webapp/filter/error.html
@ -1,5 +0,0 @@
-<html>
-	<title>Access denied!</title>
-	<h1>Access Denied</h1>
-	We're sorry, but you are not authorized to perform the requested operation.
-</html>