users@jersey.java.net

Spring Security and jersey rolesallowed filter, logging and committed responses

From: <FSauer_at_dsthealthsolutions.com>
Date: Tue, 22 Dec 2009 14:30:16 -0600

I wrote a Spring-aware version of the RolesAllowedResourceFilter with this
filter method:

        public ContainerRequest filter(ContainerRequest request) {
                // if filter was created, authentication is required,
                if (sc.getUserPrincipal() == null) {
                        // not authenticated, so make Spring redirect to
authentication
                throw new AuthenticationCredentialsNotFoundException(
"resource requires Authentication");
            }
            if (!denyAll) {
                for (String role : rolesAllowed) {
                    if (sc.isUserInRole(role))
                        return request;
                }
            }
            // required role not present in principal, deny access
            throw new AccessDeniedException("Insufficient privileges: " +
sc.getUserPrincipal().getName());
        }

which causes the Spring security config to kick in and properly do
redirects to access denied pages when needed and stuff like that,
unfortunately,
the jersey container logs these exceptions:

Dec 22, 2009 2:20:02 PM
com.sun.jersey.server.impl.application.WebApplicationImpl _handleRequest
SEVERE: The RuntimeException could not be mapped to a response,
re-throwing to the HTTP container
org.springframework.security.AccessDeniedException: Insufficient
privileges: jack

is there a way to configure the jersey container servlet to NOT log these
exceptions?

I tried NOT to do this and keep Spring out of this and instead try to
somehow handle the 403 response in the spring layer but the Response
coming
out of jersey is already committed so the forward to the access denied
page fails with a response already committed IllegalStateException......

any ideas?

Thanks,

Frank




-----------------------------------------
Please consider the environment before printing this email and any
attachments.

This e-mail and any attachments are intended only for the
individual or company to which it is addressed and may contain
information which is privileged, confidential and prohibited from
disclosure or unauthorized use under applicable law. If you are
not the intended recipient of this e-mail, you are hereby notified
that any use, dissemination, or copying of this e-mail or the
information contained in this e-mail is strictly prohibited by the
sender. If you have received this transmission in error, please
return the material received to the sender and delete all copies
from your system.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.