You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2003/11/15 23:05:38 UTC
DO NOT REPLY [Bug 24732] New: -
HTTP 400 is send to unauthorized user instead of HTTP 403
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24732>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24732
HTTP 400 is send to unauthorized user instead of HTTP 403
Summary: HTTP 400 is send to unauthorized user instead of HTTP
403
Product: Struts
Version: 1.1 Final
Platform: All
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: Controller
AssignedTo: struts-dev@jakarta.apache.org
ReportedBy: martijn.de.bruyn@tip.nl
When a user has no access to an action because it is has not a required role as
defined in the roles attribute of an action, an HTTP 400 is returned instead of
an HTTP 403.
With this behaviour is is difficult to redirect to a login page for an
authorized user without the required role.
See RequestProcessor.java line 890.
// The current user is not authorized for this action
if (log.isDebugEnabled()) {
log.debug(" User '" + request.getRemoteUser() +
"' does not have any required role, denying access");
}
response.sendError(HttpServletResponse.SC_BAD_REQUEST,
getInternal().getMessage("notAuthorized",
mapping.getPath()));
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-dev-help@jakarta.apache.org