I got this figured out - the SC_FORBIDDEN works GREAT!!
Without the entry in my web.xml - I get an error message from the server (or
browser if using IE 6).
I changed the entry in my web.xml to have a leading slash ("/") and it works
great!
<error-page>
<error-code>403</error-code>
<location>/accessDenied.jsp</location>
</error-page>
+1 for adding this to struts 1.1!
--- Matt Raible <[EMAIL PROTECTED]> wrote:
> Nic,
>
> I changed your ActionServlet (line 1573) to return SC_FORBIDDEN in the
> following code block:
>
> if (debug >= 1)
> log(" Access denied to mapping for path " + path);
>
> response.sendError(HttpServletResponse.SC_FORBIDDEN,
> internal.getMessage("processAccessDenied", path));
>
> added this to my web.xml:
>
> <error-page>
> <error-code>403</error-code>
> <location>accessDenied.jsp</location>
> </error-page>
>
> And now I'm getting the error below - any ideas?
>
> [07/Sep/2001 09:23:23:3] info: --------------------------------------
> [07/Sep/2001 09:23:23:3] info: action: Access denied to mapping for path
> /searchHolidayMonth
> [07/Sep/2001 09:23:23:3] info: --------------------------------------
> [07/Sep/2001 09:23:23:3] error: Exception: SERVLET-run_failed: Failed in
> running template: [App = timetracker, Servlet = action], java.lang.Strin
> gIndexOutOfBoundsException: String index out of range: -1
> Exception Stack Trace:
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1492)
> at
>
com.netscape.server.servlet.platformhttp.PlatformHttpServletRequest.getRequestDispatcher(Unknown
> Source)
> at
>
com.netscape.server.servlet.platformhttp.PlatformHttpServletResponse.sendError(Unknown
> Source)
> at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1573)
> at
> org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:500)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:865)
> at
> com.netscape.server.servlet.servletrunner.ServletInfo.service(Unknown Source)
> at
>
com.netscape.server.servlet.platformhttp.PlatformHttpServletResponse.callUri(Unknown
> Source)
> at
>
com.netscape.server.servlet.platformhttp.PlatformHttpServletResponse.callUriRestrictOutput(Unknown
> Source)
> at
>
com.netscape.server.servlet.platformhttp.PlatformRequestDispatcher.forward(Unknown
> Source)
> at
>
com.netscape.server.servlet.platformhttp.PlatformHttpServletResponse.sendError(Unknown
> Source)
> at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1573)
> at
> org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:500)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:865)
> at
> com.netscape.server.servlet.servletrunner.ServletInfo.service(Unknown Source)
> at
> com.netscape.server.servlet.servletrunner.ServletRunner.execute(Unknown
> Source)
> at com.kivasoft.applogic.AppLogic.execute(Unknown Source)
> at com.kivasoft.applogic.AppLogic.execute(Unknown Source)
> at com.kivasoft.thread.ThreadBasic.run(Native Method)
> at java.lang.Thread.run(Thread.java:479)
>
> --- Nic Hobbs <[EMAIL PROTECTED]> wrote:
> > Hi Matt, All,
> >
> >
> > Firstly let me apologise for my absence for the last few weeks ( I seem to
> > end up doing this at the top of every posting I make ;) but I had a nasty
> and
> >
> > artistic bout of Food Poisoning and then a holiday to contend with. Since I
>
> > have been trying to catch up on the several thousand mails that seem to
> have
> > been sent whilst I was away!
> >
> > On to the real message though. In my original posting (referenced in your
> > mail) I outlined this as the current functionality, and asked for
> suggestions
> >
> > as to what it _should_ do instead. Yours is the first comment I have had
> back
> >
> > on this, as I think you are one of the first to look at it in any depth.
> Many
> >
> > thanks.
> >
> > I think you are probably right that we should return a 403 (Forbidden) as
> the
> >
> > default. I would like this to be configurable though so people can choose.
> I
> > can't remember exactly how the code was written now (well, it was a month
> or
> > so ago) and if this is possible, and sadly our network went down for
> routine
> > maintenance today and died in the process so I can't even look at the code
> at
> >
> > the moment, let alone test some changes! I will do asap though. Do you
> still
> > want a demo webapp or are you happy with how it works now? It sounds like
> you
> >
> > have it working ok.
> >
> > Incidently, things have been quiet on the workflow front recently, can
> anyone
> >
> > update me with what the latest is? Ta.
> >
> > In the next few weeks I have (another) holiday and am quite busy as I have
> > some bits to clear up before I get sent out to the US for a couple of
> months
> > (I'll be down in Tampa, FL if anyone is interested, or if anyone is heading
>
> > down there for OOPSLA...? Although I'll not be at OOPSLA myself
> > unfortunately...so near yet so far...). But when I get out there I hope to
> > have a little more free time to get more involved. I think I keep saying
> that
> >
> > too...
> >
> >
> > Regards,
> >
> > Nic
> >
> >
> >
> >
> >
> >
> > On Friday 07 September 2001 2:23 pm, you wrote:
> > > Nic,
> > >
> > > I think the best thing to handle the situation below would be to direct
> the
> > > user to a return a 403 error (forbidden). Then in the web.xml, it might
> be
> > > possible to direct your server to route 403 errors to a specific page.
> Is
> > > there anywhere that you specify returning a 404 error?
> > >
> > > This is a comment to the following message at:
> > > http://husted.com/about/struts/struts-security.htm
> > >
> > > But what happens when the user is found to not be in the correct role? At
> > > the moment the user just gets a page not found at the browser level which
> > > is good in one way in that if a user went to the URL directly they
> wouldn't
> > > know if the URL is correct or not but we may want it to go to a specific
> > > (configurable) 'illegal access' page or something similar. Comments?
> > >
> > > Thanks,
> > >
> > > Matt
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get email alerts & NEW webcam video instant messaging with Yahoo!
> Messenger
> > > http://im.yahoo.com
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
> http://im.yahoo.com
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
