GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-996: AccessDeniedhandlerimpl doesn't write response code if used with errorPage 

Applied supplied patch which checks the committed flag before forwarding to the error page.
3.0.x
Luke Taylor 18 years ago
parent
7fe6a0fc0d
commit
acfcac4594
1 changed files with 16 additions and 13 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 29
      core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java

29
core/src/main/java/org/springframework/security/ui/AccessDeniedHandlerImpl.java
Unescape View File

@ -54,20 +54,23 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler { @@ -54,20 +54,23 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
//~ Methods ========================================================================================================
public void handle(ServletRequest request, ServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException {
if (errorPage != null) {
// Put exception into request scope (perhaps of use to a view)
((HttpServletRequest) request).setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY,
accessDeniedException);
// Perform RequestDispatcher "forward"
RequestDispatcher rd = request.getRequestDispatcher(errorPage);
rd.forward(request, response);
}
throws IOException, ServletException {
if (!response.isCommitted()) {
// Send 403 (we do this after response has been written)
((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
if (errorPage != null) {
// Put exception into request scope (perhaps of use to a view)
request.setAttribute(SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY, accessDeniedException);
// Set the 403 status code.
HttpServletResponse resp = (HttpServletResponse) response;
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
// forward to error page.
RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
dispatcher.forward(request, response);
} else {
HttpServletResponse resp = (HttpServletResponse) response;
resp.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
}
}
}

Write Preview
Loading…
Cancel
Save