Spring Security
  1. Spring Security
  2. SEC-996

AccessDeniedhandlerimpl doesn't write response code if used with errorPage

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0.3
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      The forward to the error page will cause the response to be committed and thus the 403 error code cannot be written (the commit check was introduced as a fix for SEC-324), but the code should perhaps be written before the forward instead.

        Activity

        Hide
        Mario Ceste, Jr. added a comment -

        Below is a code-snippet that will set the status code even if we're forwarding to the error page. If the error page is not present then we'll send an error like in the previous version. Personally, I don't think anything can be done if the response has already been committed. We'll assume that a previous filter has already handled the problem.

        if (!response.isCommitted()) {
        if (errorPage != null)

        { request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, exception); // the status code. HttpServletResponse resp = (HttpServletResponse) response; resp.setStatus(HttpServletResponse.SC_FORBIDDEN); // forward to error page. RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage); dispatcher.forward(request, response); }

        else

        { HttpServletResponse resp = (HttpServletResponse) response; resp.sendError(HttpServletResponse.SC_FORBIDDEN, exception.getMessage()); }

        }

        Show
        Mario Ceste, Jr. added a comment - Below is a code-snippet that will set the status code even if we're forwarding to the error page. If the error page is not present then we'll send an error like in the previous version. Personally, I don't think anything can be done if the response has already been committed. We'll assume that a previous filter has already handled the problem. if (!response.isCommitted()) { if (errorPage != null) { request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, exception); // the status code. HttpServletResponse resp = (HttpServletResponse) response; resp.setStatus(HttpServletResponse.SC_FORBIDDEN); // forward to error page. RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage); dispatcher.forward(request, response); } else { HttpServletResponse resp = (HttpServletResponse) response; resp.sendError(HttpServletResponse.SC_FORBIDDEN, exception.getMessage()); } }
        Hide
        Luke Taylor added a comment -

        Thanks for the patch. I've applied your changes. It makes sense since you can't forward if the resonse is committed. I wouldn't have thought that a forward would necessarily cause a commit though, unless you have a small output buffer (or a large error page ).

        Show
        Luke Taylor added a comment - Thanks for the patch. I've applied your changes. It makes sense since you can't forward if the resonse is committed. I wouldn't have thought that a forward would necessarily cause a commit though, unless you have a small output buffer (or a large error page ).

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Luke Taylor
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: