You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by fm...@apache.org on 2010/01/21 00:55:09 UTC
svn commit: r901447 - /sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java

Author: fmeschbe
Date: Wed Jan 20 23:55:09 2010
New Revision: 901447

URL: http://svn.apache.org/viewvc?rev=901447&view=rev
Log:
SLING-1307 handle exceptions thrown by the login method such that a 403 status can be sent back to the client instead of an internal server error for an uncaught RuntimeException

Modified:
    sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java

Modified: sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java?rev=901447&r1=901446&r2=901447&view=diff
==============================================================================
--- sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java (original)
+++ sling/trunk/bundles/commons/auth/src/main/java/org/apache/sling/commons/auth/impl/SlingAuthenticator.java Wed Jan 20 23:55:09 2010
@@ -571,7 +571,7 @@
         // If we get here, anonymous access is not allowed: redirect
         // to the login servlet
         log.info("getAnonymousSession: Anonymous access not allowed by configuration - requesting credentials");
-        login(request, response);
+        doLogin(request, response);
 
         // fallback to no session
         return false;
@@ -627,7 +627,7 @@
                 reason.getMessage());
             log.debug("handleLoginFailure", reason);
 
-            login(request, response);
+            doLogin(request, response);
 
         } else {
 
@@ -647,6 +647,37 @@
     }
 
     /**
+     * Calls the {@link #login(HttpServletRequest, HttpServletResponse)} method
+     * catching declared exceptions of that method and cleanly handling and
+     * logging them. Particularly if no authentication handler is available to
+     * request credentials a 403/FORBIDDEN response is sent back to the client.
+     */
+    private void doLogin(HttpServletRequest request,
+            HttpServletResponse response) {
+
+        try {
+
+            login(request, response);
+
+        } catch (IllegalStateException ise) {
+
+            log.error("doLogin: Cannot login: Response already committed");
+
+        } catch (NoAuthenticationHandlerException nahe) {
+
+            log.error("doLogin: Cannot login: No AuthenticationHandler available to handle the request");
+
+            try {
+                response.sendError(HttpServletResponse.SC_FORBIDDEN,
+                    "Cannot login");
+            } catch (IOException ioe) {
+                log.error("doLogin: Failed sending 403 status", ioe);
+            }
+
+        }
+    }
+
+    /**
      * Sets the request attributes required by the OSGi HttpContext interface
      * specification for the <code>handleSecurity</code> method. In addition the
      * {@link SlingHttpContext#SESSION} request attribute is set with the JCR