Hello all,
I am using spring security (provides security services for J2EE apps) with Jersey(version 0.8) and have encountered a problem. Without going into too much detail about the inner-workings of spring security it basically uses servlet filters, annotations, and AOP to secure resource methods. So the resource method is called and the AOP before-method code checks the user principal for the required permissions (defined in an annotation on that method). Runtime exceptions are thrown if the user is logged in but does not have sufficient permission or the user is not logged in. These exceptions are supposed to be handled by the spring security servlet filters, however, on lines 172-176 of com.sun.jersey.spi.spring.container.servlet.SpringServlet all runtime exceptions are caught and logged but not re-thrown.
I am aware of the javax.ws.rs.ext.ExceptionMapper<E> interface that allows me to map Java exceptions to Responses. This works great when the user is logged in but has insufficient permissions; I simply map the exception to a 403 Response and I'm done. But when the user is not logged in I need the exception to reach spring security so that authentication can occur.
I've temporarily fixed the problem by removing the try/catch block from SpringServlet but obviously I don't want to maintain that code. Can this change be integrated into the Jersey code base? I don't see any reason for SpringServlet to eat runtime exceptions especially given the ExceptionMapper interface.
Thanks,
-Reece