Gabor Kaposi created DELTASPIKE-681:
---------------------------------------
Summary: Handling AccessDeniedException will run the secured method
Key: DELTASPIKE-681
URL: https://issues.apache.org/jira/browse/DELTASPIKE-681
Project: DeltaSpike
Issue Type: Bug
Components: Core, Security-Module
Affects Versions: 1.0.1
Reporter: Gabor Kaposi
I'm using DeltaSpike Security Module together with Picketlink. I created an
annotation:
@Retention(value = RetentionPolicy.RUNTIME)
@Target({ ElementType.TYPE, ElementType.METHOD })
@Documented
@SecurityBindingType
public @interface Admin { }
Created an authorizer method:
@Secures
@Admin
public boolean doSecuredCheck(InvocationContext invocationContext, BeanManager
manager) throws Exception {
return false; //Nobody is an admin!
}
An created a secured method:
@Admin
public void test() {
System.out.println("in method");
}
So far this works fine, the method will not run when invoked from a
h:commandButton, because the authorizer method returns false. An
AccessDeniedException is thrown which will be displayed on the error page. It
is very ugly.
I wanted to handle the exception gracefully, so I created an exception handler:
void printExceptions(@Handles ExceptionEvent<AccessDeniedException> evt) {
FacesContext.getCurrentInstance().addMessage(null, new
FacesMessage("You have no access!"));
}
The exception handler is being called, no ugly error page, and I can see the
"You have no access!" message appearing on the page.
Hovewer I can also see this in the console:
"in method"
So handling the exception caused to secured method to actually run!
--
This message was sent by Atlassian JIRA
(v6.2#6252)
