Spring Security
  1. Spring Security
  2. SEC-1635

AfterInvocationManager should not be invoked if an exception occurs

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.M2
    • Component/s: Core, Web
    • Labels:
      None

      Description

      The AfterInvocationManager is intended to perform filtering or make an access decision after an invocation has taken place.

      If the invocation raises an exception, then there is no returned object or collection to filter/modify and ability to make an access-decision is likely to be complicated by the lack of those objects (see SEC-1525, for example). Since an exception generally means that the invocation has failed, it's also unlikely that an access-decision is required at that point anyway. Any stateful changes should be rolled back by a transaction manager.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Updated the security interceptor implementations to remove the finally block in which the AfterInvocationManager is called.

          Show
          Luke Taylor added a comment - Updated the security interceptor implementations to remove the finally block in which the AfterInvocationManager is called.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: