Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.3.3
-
struts2, spring security
Description
struts2 with spring security.
The Spring Security security method interceptor may throw an org.springframework.security.access.AccessDeniedException. It need be catched by org.springframework.security.web.access.ExceptionTranslationFilter, then be translated to be a 403 error.
But the org.apache.struts2.dispatcher.Dispatcher always catch the Exception which throwed from their actions, and converted them to a 500 error, So the behavior of spring security becomes wired. Neither I cannot define a <error-page> with <exception-type>org.springframework.security.access.AccessDeniedException, or <error-page><error-code>403</error-code>, because struct2 already hide all of the details of this exception.
Now I just have two options to choose, First is use ExceptionMappingInterceptor and mapping AccessDeniedException to 403.jsp, this causes duplicated configuration, I have to define 403.jsp both of web.xml and struts.xml.
Second choice is modifying source code of Dispatcher, just comments the 533 line:
sendError(request, response, context, HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e);
I wish there could be an option like 'struts.convert.exception=false' to close this default behavior, so we could use spring security with struts2 more flexibility