Re: [Acegisecurity-developer] AuthenticationSimpleHttpInvokerRequestExecutor should validate response codes?
Camilo Arango wrote: One solution I have found is removing both the exceptionTranslationFilter and filterInvocationInterceptor from the chain and managing authorization with AOP. That way, the exceptions are serialized correctly. This is actually the recommended usage pattern. You use FilterInvocationInterceptor for securing web requests. If you wish to secure method authorizations, you use MethodSecurityInterceptor or AspectJSecurityInterceptor. You'd normally configure FilterChainProxy so it differentiates between browser clients and rich clients. The browser clients will use ExceptionTranslationFilter, as that type of client requires HTTP response codes and if you fail to provide them, your servlet container will fallback to a response code 500 in the event of an exception. The rich clients should not include ExceptionTranslationFilter or FilterInvocationInterceptor, as all authorization is performed by one of the aforementioned security interceptors and exceptions will be serialized by the applicable remoting protocol instead. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationSimpleHttpInvokerRequestExecutor should validate response codes?
Camilo Arango wrote: Not always. I seems that only exceptions thrown by the called object are propagated by the client. In my case, the exception is thrown by a filter, and therefore the call to the Spring remoting proxy never occurs and I get and ugly 500 response code at the client. What would be the best thing to do in that case? Depends where ExceptionTranslationFilter appears in your chain. Which filter is throwing the exception, and where is ETF in your chain? Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] AuthenticationSimpleHttpInvokerRequestExecutor should validate response codes?
Hi,
I am using Acegi fo a 3-tier Eclipse RCP application using HTTP
remoting. It has come to my attention that when a remote call throws a
AccessDeniedException, in the client it is translated to a
RemoteInvocationException. It would be useful to have an
AccessDeniedException in this cases instead.
As the AuthenticationSimpleHttpInvokerRequestExecutor can override the
validateResponse method, it is fairly simple to examine the HTTP
status code and throw the appropiate exception. I made a Snippet of
it:
public class AuthenticationHttpInvokerRequestExecutor extends
AuthenticationSimpleHttpInvokerRequestExecutor {
protected void validateResponse(HttpInvokerClientConfiguration config,
HttpURLConnection con) throws IOException {
if (con.getResponseCode() == 401) {
throw new AccessDeniedException(Access Denied);
} else if (con.getResponseCode() == 403) {
throw new AccessDeniedException(Acceso Denied);
} else {
super.validateResponse(config, con);
}
}
}
It works good for me, therefore I think It would be a good idea to add
it to the actual AuthenticationHttpInvokerRequestExecutor.
What do you guys think?
Regards,
Camilo Arango.
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
