[DELTASPIKE-681] Handling AccessDeniedException will run the secured method - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.0.1
Fix Version/s: 1.0.2
Component/s: Core, Security-Module
Labels:
None

Description

I'm using DeltaSpike Security Module together with Picketlink. I created an annotation:

@Retention(value = RetentionPolicy.RUNTIME)
@Target(

{ ElementType.TYPE, ElementType.METHOD }

)
@Documented
@SecurityBindingType
public @interface Admin { }

Created an authorizer method:

@Secures
@Admin
public boolean doSecuredCheck(InvocationContext invocationContext, BeanManager manager) throws Exception {
return false; //Nobody is an admin!
}

An created a secured method:

@Admin
public void test() {
System.out.println("in method");
}

So far this works fine, the method will not run when invoked from a h:commandButton, because the authorizer method returns false. An AccessDeniedException is thrown which will be displayed on the error page. It is very ugly.

I wanted to handle the exception gracefully, so I created an exception handler:

void printExceptions(@Handles ExceptionEvent<AccessDeniedException> evt) {
FacesContext.getCurrentInstance().addMessage(null, new FacesMessage("You have no access!"));
}

The exception handler is being called, no ugly error page, and I can see the "You have no access!" message appearing on the page.

Hovewer I can also see this in the console:
"in method"

So handling the exception caused to secured method to actually run!

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

DELTASPIKE-681.patch
05/Aug/14 21:14
1 kB
Gerhard Petracek

Activity

People

Assignee:: Unassigned

Reporter:: Gabor K

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Aug/14 14:51

Updated:: 20/Aug/14 14:32

Resolved:: 05/Aug/14 21:27