You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@deltaspike.apache.org by "Gerhard Petracek (JIRA)" <ji...@apache.org> on 2014/08/05 23:05:12 UTC

[jira] [Updated] (DELTASPIKE-681) Handling AccessDeniedException will run the secured method

     [ https://issues.apache.org/jira/browse/DELTASPIKE-681?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gerhard Petracek updated DELTASPIKE-681:
----------------------------------------

    Priority: Minor  (was: Major)

@gabor:
i agree with you that it should be that way.
in fact it works as designed (which is not intuitive imo).
once you have a handler, the corresponding exception is handled/consumed and everything continues as usual.

what you are trying to do is to just observe an exception.
that's currently just supported by @Secured (with that it works and you just have to care about DELTASPIKE-637).

> Handling AccessDeniedException will run the secured method
> ----------------------------------------------------------
>
>                 Key: DELTASPIKE-681
>                 URL: https://issues.apache.org/jira/browse/DELTASPIKE-681
>             Project: DeltaSpike
>          Issue Type: Bug
>          Components: Core, Security-Module
>    Affects Versions: 1.0.1
>            Reporter: Gabor K
>            Priority: Minor
>
> I'm using DeltaSpike Security Module together with Picketlink. I created an annotation:
> @Retention(value = RetentionPolicy.RUNTIME)
> @Target({ ElementType.TYPE, ElementType.METHOD })
> @Documented
> @SecurityBindingType
> public @interface Admin { }
> Created an authorizer method:
> @Secures
> @Admin
> public boolean doSecuredCheck(InvocationContext invocationContext, BeanManager manager) throws Exception {
> 		return false; //Nobody is an admin!
> }
> An created a secured method:
> @Admin
> public void test() {
> 	System.out.println("in method");
> }
> So far this works fine, the method will not run when invoked from a h:commandButton, because the authorizer method returns false. An AccessDeniedException is thrown which will be displayed on the error page. It is very ugly.
> I wanted to handle the exception gracefully, so I created an exception handler:
> void printExceptions(@Handles ExceptionEvent<AccessDeniedException> evt) {
> 	FacesContext.getCurrentInstance().addMessage(null, new FacesMessage("You have no access!"));
> }
> The exception handler is being called, no ugly error page, and I can see the "You have no access!" message appearing on the page.
> Hovewer I can also see this in the console:
> "in method"
> So handling the exception caused to secured method to actually run!



--
This message was sent by Atlassian JIRA
(v6.2#6252)