You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2010/01/21 00:55:09 UTC
svn commit: r901447 -
/sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java
Author: fmeschbe
Date: Wed Jan 20 23:55:09 2010
New Revision: 901447
URL: http://svn.apache.org/viewvc?rev=901447&view=rev
Log:
SLING-1307 handle exceptions thrown by the login method such that a 403 status can be sent back to the client instead of an internal server error for an uncaught RuntimeException
Modified:
sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java
Modified: sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java?rev=901447&r1=901446&r2=901447&view=diff
==============================================================================
--- sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java Wed Jan 20 23:55:09 2010
@@ -571,7 +571,7 @@
// If we get here, anonymous access is not allowed: redirect
// to the login servlet
log.info("getAnonymousSession: Anonymous access not allowed by configuration - requesting credentials");
- login(request, response);
+ doLogin(request, response);
// fallback to no session
return false;
@@ -627,7 +627,7 @@
reason.getMessage());
log.debug("handleLoginFailure", reason);
- login(request, response);
+ doLogin(request, response);
} else {
@@ -647,6 +647,37 @@
}
/**
+ * Calls the {@link #login(HttpServletRequest, HttpServletResponse)} method
+ * catching declared exceptions of that method and cleanly handling and
+ * logging them. Particularly if no authentication handler is available to
+ * request credentials a 403/FORBIDDEN response is sent back to the client.
+ */
+ private void doLogin(HttpServletRequest request,
+ HttpServletResponse response) {
+
+ try {
+
+ login(request, response);
+
+ } catch (IllegalStateException ise) {
+
+ log.error("doLogin: Cannot login: Response already committed");
+
+ } catch (NoAuthenticationHandlerException nahe) {
+
+ log.error("doLogin: Cannot login: No AuthenticationHandler available to handle the request");
+
+ try {
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,
+ "Cannot login");
+ } catch (IOException ioe) {
+ log.error("doLogin: Failed sending 403 status", ioe);
+ }
+
+ }
+ }
+
+ /**
* Sets the request attributes required by the OSGi HttpContext interface
* specification for the <code>handleSecurity</code> method. In addition the
* {@link SlingHttpContext#SESSION} request attribute is set with the JCR