Issue Details (XML | Word | Printable)

Key: APF-800
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Minor Minor
Assignee: Matt Raible
Reporter: Jason Thrasher
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
AppFuse

AOP-based AccessDeniedException isn't caught properly at presentation layer

Created: 05/Jun/07 10:14 PM   Updated: 06/Jun/07 04:34 PM   Resolved: 06/Jun/07 04:34 PM
Component/s: Web - General
Affects Version/s: 2.0-RC1
Fix Version/s: 2.0-RC1

File Attachments: 1. Text File appfuse-web-AccessDenied-patch.txt (10 kB)
Environment: affects all Web-view based frameworks


 Description  « Hide
See http://www.nabble.com/AOP-security-bubbling-up-to-views-tf3870458s2369.html

AccessDeniedException doesn't properly bubble up to the view layer as intended.

The case is where a non-authorized, and non-ROLE_ADMIN, user tries to save a user. The UserSecurityAdvice should throw AccessDeniedException according to the aop:advisor, and the user should get a HTTP 403, and an "Access Denied" message page for their view.

This doesn't happen because the UserAction class doesn't catch a AccessDeniedException when saveUser is called. A catch statement in the UserAction.save(), after the saveUser call, will fix it, generally:

                        user = userManager.saveUser(user);
                } catch (AccessDeniedException ade) {
                        this.getResponse().sendError(HttpServletResponse.SC_FORBIDDEN);
                        return null;
                }

This affects both UserAction and SignupAction type controllers.

In the AppFuse 1.x implementation using Struts 1.x, the BaseAction was configured to catch this, and all Struts Actions extended BaseAction. AF2/Struts2 isn't setup the same way, so AccessDeniedException should be caught in each Action that needs it.

The attached patch fixes this for User/Signup controllers for JSF, Spring, Struts, and Tapestry web frameworks. It passes all maven tests on the current HEAD revision.

Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Jason Thrasher added a comment - 05/Jun/07 10:50 PM
To recreate the bug using a default AppFuse Struts2 modular app do the following:

1) start the webapp (mvn jetty:run)
2) login as "user/user"
3) edit the user profile, change the Username to "user2"
4) press Save button

See this error:

Yikes!
org.acegisecurity.AccessDeniedException: Access Denied: Only administrators are allowed to modify other users.
at org.appfuse.service.UserSecurityAdvice.before(UserSecurityAdvice.java:63)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:49)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy22.saveUser(Unknown Source)
at org.appfuse.webapp.action.UserAction.save(UserAction.java:155)
[SNIP]




Matt Raible made changes - 05/Jun/07 10:51 PM
Field Original Value New Value
Fix Version/s 2.0-RC1 [ 10151 ]
2783 by  Matt Raible (8 files)
06/Jun/07 03:00 PM (38 months, 6 days ago)
[ Permalink | « Hide ]
Matt Raible added a comment - 06/Jun/07 04:34 PM
Fixed in SVN: http://fisheye4.cenqua.com/changelog/appfuse?cs=2783

Thanks for the patch!

Matt Raible made changes - 06/Jun/07 04:34 PM
Resolution Fixed [ 1 ]
Status Open [ 1 ] Resolved [ 5 ]
Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for AppFuse. Try JIRA - bug tracking software for your team.