Camilo Arango wrote: > One solution I have found is removing both the > exceptionTranslationFilter and filterInvocationInterceptor from the > chain and managing authorization with AOP. That way, the exceptions > are serialized correctly.
This is actually the recommended usage pattern. You use FilterInvocationInterceptor for securing web requests. If you wish to secure method authorizations, you use MethodSecurityInterceptor or AspectJSecurityInterceptor. You'd normally configure FilterChainProxy so it differentiates between "browser clients" and "rich clients". The browser clients will use ExceptionTranslationFilter, as that type of client requires HTTP response codes and if you fail to provide them, your servlet container will fallback to a response code 500 in the event of an exception. The rich clients should not include ExceptionTranslationFilter or FilterInvocationInterceptor, as all authorization is performed by one of the aforementioned security interceptors and exceptions will be serialized by the applicable remoting protocol instead. Cheers Ben ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Home: http://acegisecurity.org Acegisecurity-developer mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
