You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Lars Trieloff (JIRA)" <ji...@apache.org> on 2008/02/28 14:47:51 UTC
[jira] Created: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
µjax Post Servlet does not use correct HTTP status codes
--------------------------------------------------------
Key: SLING-292
URL: https://issues.apache.org/jira/browse/SLING-292
Project: Sling
Issue Type: Bug
Components: ujax
Reporter: Lars Trieloff
The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574375#action_12574375 ]
Felix Meschberger commented on SLING-292:
-----------------------------------------
Re Tobias [1]:
In this case having a 200/OK status irrespective of the actual outcome is a specific application use case and not a general case. Therefore I suggest we add an indication as to whether status codes should be returned as is (that is 500 in case of problems, 40? in case of access control issues) or as 200 regardless of the outcome.
[1] https://issues.apache.org/jira/browse/SLING-292?focusedCommentId=12573873#action_12573873
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573405#action_12573405 ]
Felix Meschberger commented on SLING-292:
-----------------------------------------
Actually, the UjaxPostServlet always sends 200 in case of errors. I think this is probably an issue in the UjaxResponse class, which sets the 500 status code just in HTML page returned but not in the response. Should this be fixed, too ? (hmm, somehwat off topic here ...)
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Bertrand Delacretaz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574386#action_12574386 ]
Bertrand Delacretaz commented on SLING-292:
-------------------------------------------
Agree with the idea of a filter that can be disabled
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573843#action_12573843 ]
Felix Meschberger commented on SLING-292:
-----------------------------------------
This is really a problem, but I consider it worth to send "ok" where in reality, the job has not been done. And in fact, the user is probably happier to see the "user-friendly" message telling something was wrong than being tricked into believing everything was fine and not reading the fine print.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573420#action_12573420 ]
Tobias Bocanegra commented on SLING-292:
----------------------------------------
the problem is that if you are sending POSTs using a normal html form, it's not easy for a js client to catch errors if the server responds with 500. the client needs to 'parse' the HTML response and check for errors there.
maybe we can control the error behavior with some flag in case you do ajax requests and you can deal with 500's.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Lars Trieloff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574379#action_12574379 ]
Lars Trieloff commented on SLING-292:
-------------------------------------
Felix, Tobias,
I think we could implement a ServletFilter that will take all Responses that are not 200 and convert it into a response with status 200 and parsable error messages. Depending on your application, you could enable or disable this filter.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Lars Trieloff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574394#action_12574394 ]
Lars Trieloff commented on SLING-292:
-------------------------------------
The filter should be enabled on-demand so that we expose the standard http behavior on default.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Lars Trieloff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574232#action_12574232 ]
Lars Trieloff commented on SLING-292:
-------------------------------------
Having proper error messages is not a problem, because user agents will not override the displayed error page, if the page is longer than 512 bytes (which is the default length of error messages generated by apache). If you want to do script-processing you have plenty of options: Using ajax, using a custom selector and error handling script , etc. This is really independent of using a hidden iframe for form processing.
P.S. do you use hidden iframes outside of form-upload scenarios?
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573320#action_12573320 ]
Tobias Bocanegra commented on SLING-292:
----------------------------------------
there is not check for 'access denied exception' from the repository and just a 500 is returned.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573843#action_12573843 ]
fmeschbe edited comment on SLING-292 at 3/3/08 12:29 AM:
------------------------------------------------------------------
This is really a problem, but I consider it worse to send "ok" where in reality, the job has not been done. And in fact, the user is probably happier to see the "user-friendly" message telling something was wrong than being tricked into believing everything was fine and not reading the fine print.
was (Author: fmeschbe):
This is really a problem, but I consider it worth to send "ok" where in reality, the job has not been done. And in fact, the user is probably happier to see the "user-friendly" message telling something was wrong than being tricked into believing everything was fine and not reading the fine print.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Felix Meschberger (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574420#action_12574420 ]
Felix Meschberger commented on SLING-292:
-----------------------------------------
Hmm, not very fond of this idea, because the filter would not be active per-deployment but more like per-request ... so, why not just build this into the ujax post servlet ?
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573821#action_12573821 ]
Tobias Bocanegra commented on SLING-292:
----------------------------------------
the problem is if the user selects 'display user friendly errors' as available in many browsers.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573873#action_12573873 ]
Tobias Bocanegra commented on SLING-292:
----------------------------------------
this is not a problem when a human user sends the post, but rather in some UIs where the form is posted in a hidden frame and the script takes care of reloading the respective elements of the page.
in this case, the UI scripts need to be able to parse the errors no matter how the user has configured the browser.
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SLING-292) µjax Post Servlet does not use correct HTTP status codes
Posted by "Lars Trieloff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573648#action_12573648 ]
Lars Trieloff commented on SLING-292:
-------------------------------------
Felix, I think this should be fixed as well. Displaying the status code is nice, but sending the correct HTTP response is even more important.
Tobias, I do not understand your comment, normal form posts will get a styled error message for 500 and AJAX posts can evaluate the status code easily without parsing the response (http://www.w3schools.com/xml/xml_http.asp)
> µjax Post Servlet does not use correct HTTP status codes
> --------------------------------------------------------
>
> Key: SLING-292
> URL: https://issues.apache.org/jira/browse/SLING-292
> Project: Sling
> Issue Type: Bug
> Components: ujax
> Reporter: Lars Trieloff
>
> The µjax Post Servlet does not use correct HTTP status codes when trying to write nodes without permissions. Expected status code is 403 (forbidden), if no user is logged in (no credentials in the request), status code 401 might be more appropriate
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.