Brian Moseley wrote:
i've configured a custom error page for 403 responses in my web.xml. i
want that page to use the authz taglib to render itself differently
depending on whether the authentication for the request is anonymous
or represents a known user of my application.
This is discussed a few times on the forums. Essentially there is
nothing we can do about it. Some people have modified the
ExceptionTranslationFilter (RC2 rename of SecuirtyEnforcementFilter)
method sendAccessDenied(ServletRequest, ServletResponse, FilterChain,
AccessDeniedException) to store additional information in HttpSession
given it's not available from the normal SecurityContextHolder.
Alternatively, use a JSP-based 403 page and access the HttpSession
attribute keyed on
HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY to
retrieve the user's details. This won't help you with the authz taglib,
though, as it uses SecurityContextHolder. I suppose it's worth
considering making it (and other taglibs) revert to checking the
HttpSession directly if SecurityContextHolder doesn't contain an
Authentication (such a check could be put into a static utility method
for use by any taglib or templating system macro).
Cheers
Ben
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
