Gabor Kaposi created DELTASPIKE-681: ---------------------------------------
Summary: Handling AccessDeniedException will run the secured method Key: DELTASPIKE-681 URL: https://issues.apache.org/jira/browse/DELTASPIKE-681 Project: DeltaSpike Issue Type: Bug Components: Core, Security-Module Affects Versions: 1.0.1 Reporter: Gabor Kaposi I'm using DeltaSpike Security Module together with Picketlink. I created an annotation: @Retention(value = RetentionPolicy.RUNTIME) @Target({ ElementType.TYPE, ElementType.METHOD }) @Documented @SecurityBindingType public @interface Admin { } Created an authorizer method: @Secures @Admin public boolean doSecuredCheck(InvocationContext invocationContext, BeanManager manager) throws Exception { return false; //Nobody is an admin! } An created a secured method: @Admin public void test() { System.out.println("in method"); } So far this works fine, the method will not run when invoked from a h:commandButton, because the authorizer method returns false. An AccessDeniedException is thrown which will be displayed on the error page. It is very ugly. I wanted to handle the exception gracefully, so I created an exception handler: void printExceptions(@Handles ExceptionEvent<AccessDeniedException> evt) { FacesContext.getCurrentInstance().addMessage(null, new FacesMessage("You have no access!")); } The exception handler is being called, no ugly error page, and I can see the "You have no access!" message appearing on the page. Hovewer I can also see this in the console: "in method" So handling the exception caused to secured method to actually run! -- This message was sent by Atlassian JIRA (v6.2#6252)