Discussion:
Struts2 interceptor for AccessDeniedException
Josep García
2011-12-01 10:30:22 UTC
Permalink
For Struts2 actions to correctly show 403 page and return 403 status when
an AccessDeniedException is thrown within actions code.

Must be added to the defaultStack of your struts.xml file.


import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.springframework.security.access.AccessDeniedException;

/**
* Correctly report spring-security's AccessDeniedException thrown from
within Struts actions as 403 error
* @author jgarcia
*/
public class AccessDeniedInterceptor implements Interceptor {

public String intercept(ActionInvocation invocation) throws Exception {
try {
return invocation.invoke();
} catch (AccessDeniedException e) {
HttpServletResponse response =
ServletActionContext.getResponse();
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return null;
}
}

/**
* This method currently does nothing.
*/
public void destroy() {
}

/**
* This method currently does nothing.
*/
public void init() {
}

}

Cheers,
Josep
Matt Raible
2011-12-01 16:07:02 UTC
Permalink
Spring Security should handle this. Can you explain why you need this?
For Struts2 actions to correctly show 403 page and return 403 status when an AccessDeniedException is thrown within actions code.
Must be added to the defaultStack of your struts.xml file.
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.springframework.security.access.AccessDeniedException;
/**
* Correctly report spring-security's AccessDeniedException thrown from within Struts actions as 403 error
*/
public class AccessDeniedInterceptor implements Interceptor {
public String intercept(ActionInvocation invocation) throws Exception {
try {
return invocation.invoke();
} catch (AccessDeniedException e) {
HttpServletResponse response = ServletActionContext.getResponse();
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return null;
}
}
/**
* This method currently does nothing.
*/
public void destroy() {
}
/**
* This method currently does nothing.
*/
public void init() {
}
}
Cheers,
Josep
Josep García
2011-12-01 16:12:55 UTC
Permalink
I am using spring-security annotations for the service level to control
update permissions. Url protection is not enough. Object id is important in
my case (multi-user platform).
Spring-sec url protection lets me get into the page, but the service level
fires an AccessDenied exception, from within a call from Struts action. If
I do not put this interceptor, a nasty crash appears.
Post by Matt Raible
Spring Security should handle this. Can you explain why you need this?
Post by Josep García
For Struts2 actions to correctly show 403 page and return 403 status
when an AccessDeniedException is thrown within actions code.
Post by Josep García
Must be added to the defaultStack of your struts.xml file.
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.springframework.security.access.AccessDeniedException;
/**
* Correctly report spring-security's AccessDeniedException thrown from
within Struts actions as 403 error
Post by Josep García
*/
public class AccessDeniedInterceptor implements Interceptor {
public String intercept(ActionInvocation invocation) throws
Exception {
Post by Josep García
try {
return invocation.invoke();
} catch (AccessDeniedException e) {
HttpServletResponse response =
ServletActionContext.getResponse();
Post by Josep García
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return null;
}
}
/**
* This method currently does nothing.
*/
public void destroy() {
}
/**
* This method currently does nothing.
*/
public void init() {
}
}
Cheers,
Josep
Matt Raible
2011-12-01 16:16:09 UTC
Permalink
Can you please add a JIRA for this and I'll add it to the next release? I hope to start working on AppFuse again in January.
I am using spring-security annotations for the service level to control update permissions. Url protection is not enough. Object id is important in my case (multi-user platform).
Spring-sec url protection lets me get into the page, but the service level fires an AccessDenied exception, from within a call from Struts action. If I do not put this interceptor, a nasty crash appears.
Spring Security should handle this. Can you explain why you need this?
For Struts2 actions to correctly show 403 page and return 403 status when an AccessDeniedException is thrown within actions code.
Must be added to the defaultStack of your struts.xml file.
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.springframework.security.access.AccessDeniedException;
/**
* Correctly report spring-security's AccessDeniedException thrown from within Struts actions as 403 error
*/
public class AccessDeniedInterceptor implements Interceptor {
public String intercept(ActionInvocation invocation) throws Exception {
try {
return invocation.invoke();
} catch (AccessDeniedException e) {
HttpServletResponse response = ServletActionContext.getResponse();
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return null;
}
}
/**
* This method currently does nothing.
*/
public void destroy() {
}
/**
* This method currently does nothing.
*/
public void init() {
}
}
Cheers,
Josep
Josep García
2011-12-01 16:34:22 UTC
Permalink
Done:
http://issues.appfuse.org/browse/APF-1285
Post by Matt Raible
Can you please add a JIRA for this and I'll add it to the next release? I
hope to start working on AppFuse again in January.
I am using spring-security annotations for the service level to control
update permissions. Url protection is not enough. Object id is important in
my case (multi-user platform).
Spring-sec url protection lets me get into the page, but the service level
fires an AccessDenied exception, from within a call from Struts action. If
I do not put this interceptor, a nasty crash appears.
Post by Matt Raible
Spring Security should handle this. Can you explain why you need this?
Post by Josep García
For Struts2 actions to correctly show 403 page and return 403 status
when an AccessDeniedException is thrown within actions code.
Post by Josep García
Must be added to the defaultStack of your struts.xml file.
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.Interceptor;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.ServletActionContext;
import org.springframework.security.access.AccessDeniedException;
/**
* Correctly report spring-security's AccessDeniedException thrown from
within Struts actions as 403 error
Post by Josep García
*/
public class AccessDeniedInterceptor implements Interceptor {
public String intercept(ActionInvocation invocation) throws
Exception {
Post by Josep García
try {
return invocation.invoke();
} catch (AccessDeniedException e) {
HttpServletResponse response =
ServletActionContext.getResponse();
Post by Josep García
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return null;
}
}
/**
* This method currently does nothing.
*/
public void destroy() {
}
/**
* This method currently does nothing.
*/
public void init() {
}
}
Cheers,
Josep
Loading...