[jira] [Commented] (WW-3811) dont let struts auto catch Exception and send 500 error

[Xu Hui Sheng (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-3811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283140#comment-13283140
 ] 

Xu Hui Sheng commented on WW-3811:
----------------------------------

We used jersey to export our service to RESTful api. And we used annotation to 
control method access. Then this issue occured.
In our application, URL authorization is not enough,  we need method level 
access control to limit the permission of the requester.
                
> dont let struts auto catch Exception and send 500 error
> -------------------------------------------------------
>
>                 Key: WW-3811
>                 URL: https://issues.apache.org/jira/browse/WW-3811
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Dispatch Filter
>    Affects Versions: 2.3.3
>         Environment: struts2, spring security
>            Reporter: Xu Hui Sheng
>              Labels: catchexception, springsecurity
>             Fix For: 2.3.5
>
>
> struts2 with spring security.
>  The Spring Security security method interceptor may throw an 
> org.springframework.security.access.AccessDeniedException.  It need be 
> catched by 
> org.springframework.security.web.access.ExceptionTranslationFilter, then be 
> translated to be a 403 error.
>  But the org.apache.struts2.dispatcher.Dispatcher always catch the Exception 
> which throwed from their actions, and converted them to a 500 error, So the 
> behavior of spring security becomes wired. Neither I cannot define a 
> <error-page> with 
> <exception-type>org.springframework.security.access.AccessDeniedException, or 
> <error-page><error-code>403</error-code>, because struct2 already hide all of 
> the details of this exception.
> Now I just have two options to choose,  First is use 
> ExceptionMappingInterceptor and mapping AccessDeniedException to 403.jsp, 
> this causes duplicated configuration, I have to define 403.jsp both of 
> web.xml and struts.xml.
> Second choice is modifying source code of Dispatcher, just comments the 533 
> line:
>             sendError(request, response, context, 
> HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e);
> I wish there could be an option like 'struts.convert.exception=false' to 
> close this default behavior, so we could use spring security with struts2 
> more flexibility

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira