I'm confused as to why this wouldn't work in afterCompletion.
afterCompletion is guaranteed to be called at the end of the request
(in all cases) and is meant to perform subclass-specific final/cleanup
type of work that you describe.
The cleanup method is primarily infrastructural - its only job is to
ensure that 1) afterCompletion is always called and 2) if any
exception is thrown, either originally or as a result of
afterCompletion, that it is wrapped in a ServletException if it is not
already an IOException or ServletException.
Based on this, it makes sense to me to have AuthenticatingFilter
override afterCompletion (it doesn't currently) to do the following:
if (existing instanceof UnauthenticatedException || (existing
instanceof ServletException && existing.getCause() instanceof
UnauthenticatedException)) {
onAccessDenied(request,response);
}
Thoughts?
Cheers,
Les
