You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by bu...@apache.org on 2003/11/15 23:05:38 UTC

DO NOT REPLY [Bug 24732] New: - HTTP 400 is send to unauthorized user instead of HTTP 403

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24732>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24732

HTTP 400 is send to unauthorized user instead of HTTP 403

           Summary: HTTP 400 is send to unauthorized user instead of HTTP
                    403
           Product: Struts
           Version: 1.1 Final
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Controller
        AssignedTo: struts-dev@jakarta.apache.org
        ReportedBy: martijn.de.bruyn@tip.nl


When a user has no access to an action because it is has not a required role as 
defined in the roles attribute of an action, an HTTP 400 is returned instead of 
an HTTP 403.
With this behaviour is is difficult to redirect to a login page for an 
authorized user without the required role.

See RequestProcessor.java line 890.
// The current user is not authorized for this action
        if (log.isDebugEnabled()) {
            log.debug(" User '" + request.getRemoteUser() +
                      "' does not have any required role, denying access");
        }
        response.sendError(HttpServletResponse.SC_BAD_REQUEST,
                           getInternal().getMessage("notAuthorized",
                                                    mapping.getPath()));

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org