Example 1 with NotAuthorizedResult
use of org.summerb.security.api.dto.NotAuthorizedResult in project summerb by skarpushin.
the class ControllerExceptionHandlerStrategyLegacyImpl method buildJsonError.
/**
* This peace of crap needs to be removed. Because in case of JSON it's rest
* API, there is no place for {@link ModelAndView}. Response should be pure JSON
* content.
*
* So instead of implementing it here it's better to just re-throw exception and
* let {@link RestExceptionTranslator} handle it and gracefully convert it into
* json description of error happened
*/
protected ModelAndView buildJsonError(Throwable ex, HttpServletRequest req, HttpServletResponse res) {
String msg = exceptionTranslator.buildUserMessage(ex, LocaleContextHolder.getLocale());
NotAuthorizedException nae;
FieldValidationException fve;
AccessDeniedException ade;
boolean translateAuthExc = Boolean.TRUE.equals(Boolean.valueOf(req.getHeader(RestExceptionTranslator.X_TRANSLATE_AUTHORIZATION_ERRORS)));
if ((nae = ExceptionUtils.findExceptionOfType(ex, NotAuthorizedException.class)) != null) {
NotAuthorizedResult naeResult = nae.getResult();
res.setStatus(isAnonymous() ? HttpServletResponse.SC_UNAUTHORIZED : HttpServletResponse.SC_FORBIDDEN);
if (translateAuthExc) {
return new ModelAndView(jsonView, ControllerBase.ATTR_EXCEPTION, msg);
} else {
respondWithJson(naeResult, res);
return null;
}
} else if ((ade = ExceptionUtils.findExceptionOfType(ex, AccessDeniedException.class)) != null) {
res.setStatus(isAnonymous() ? HttpServletResponse.SC_UNAUTHORIZED : HttpServletResponse.SC_FORBIDDEN);
if (translateAuthExc) {
return new ModelAndView(jsonView, ControllerBase.ATTR_EXCEPTION, msg);
} else {
respondWithJson(new NotAuthorizedResult(getCurrentUser(), SecurityMessageCodes.ACCESS_DENIED), res);
return null;
}
} else if ((fve = ExceptionUtils.findExceptionOfType(ex, FieldValidationException.class)) != null) {
res.setStatus(HttpServletResponse.SC_BAD_REQUEST);
ValidationErrorsVm vepm = new ValidationErrorsVm(fve.getErrors());
return new ModelAndView(jsonView, ControllerBase.ATTR_VALIDATION_ERRORS, vepm.getMsg());
}
log.warn("Failed to process request", ex);
res.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return new ModelAndView(jsonView, ControllerBase.ATTR_EXCEPTION, msg);
}
Also used :
FieldValidationException(org.summerb.validation.FieldValidationException)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
ValidationErrorsVm(org.summerb.webappboilerplate.model.ValidationErrorsVm)
ModelAndView(org.springframework.web.servlet.ModelAndView)
NotAuthorizedResult(org.summerb.security.api.dto.NotAuthorizedResult)
NotAuthorizedException(org.summerb.security.api.exceptions.NotAuthorizedException)
Example 2 with NotAuthorizedResult
use of org.summerb.security.api.dto.NotAuthorizedResult in project summerb by skarpushin.
the class RestExceptionTranslator method determineFailureResult.
protected DtoBase determineFailureResult(Exception ex, HttpServletRequest request, HttpServletResponse response) {
// first see if it is FVE
FieldValidationException fve = ExceptionUtils.findExceptionOfType(ex, FieldValidationException.class);
if (fve != null) {
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return fve.getErrorDescriptionObject();
}
boolean translateAuthErrors = Boolean.TRUE.equals(Boolean.valueOf(request.getHeader(X_TRANSLATE_AUTHORIZATION_ERRORS)));
GenericServerErrorResult ret = null;
if (translateAuthErrors) {
ret = new GenericServerErrorResult(buildUserMessage(ex, request), new ExceptionInfo(ex));
}
NotAuthorizedException naex = ExceptionUtils.findExceptionOfType(ex, NotAuthorizedException.class);
if (naex != null) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return ret != null ? ret : naex.getResult();
}
AuthenticationException ae = ExceptionUtils.findExceptionOfType(ex, AuthenticationException.class);
if (ae != null) {
// NOTE: See how we did that in AuthenticationFailureHandlerImpl...
// Looks like we need to augment our custom RestLoginFilter so it
// will put username to request
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return ret != null ? ret : new NotAuthorizedResult("(username not resolved)", SecurityMessageCodes.AUTH_FATAL);
}
AccessDeniedException ade = ExceptionUtils.findExceptionOfType(ex, AccessDeniedException.class);
if (ade != null) {
if (authenticationTrustResolver.isAnonymous(SecurityContextHolder.getContext().getAuthentication())) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.LOGIN_REQUIRED);
}
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.ACCESS_DENIED);
}
CurrentUserNotFoundException cunfe = ExceptionUtils.findExceptionOfType(ex, CurrentUserNotFoundException.class);
if (cunfe != null) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return ret != null ? ret : new NotAuthorizedResult(getCurrentUser(null), SecurityMessageCodes.LOGIN_REQUIRED);
}
// TBD: Do we really need to send whole stack trace to client ??? I think we
// should do it only during development
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return new GenericServerErrorResult(buildUserMessage(ex, request), new ExceptionInfo(ex));
}
Also used :
FieldValidationException(org.summerb.validation.FieldValidationException)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
AuthenticationException(org.springframework.security.core.AuthenticationException)
NotAuthorizedResult(org.summerb.security.api.dto.NotAuthorizedResult)
CurrentUserNotFoundException(org.summerb.security.api.CurrentUserNotFoundException)
NotAuthorizedException(org.summerb.security.api.exceptions.NotAuthorizedException)
GenericServerErrorResult(org.summerb.utils.exceptions.dto.GenericServerErrorResult)
ExceptionInfo(org.summerb.utils.exceptions.dto.ExceptionInfo)
Example 3 with NotAuthorizedResult
use of org.summerb.security.api.dto.NotAuthorizedResult in project summerb by skarpushin.
the class RestInvalidSessionStrategy method onInvalidSessionDetected.
@Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
// create new session, which will result in JSESSIONID coockie reset
request.getSession();
// Report that session changed and need to reestablish request
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
jsonResponseHelper.writeResponseBody(new NotAuthorizedResult("anonymous", SecurityMessageCodes.INVALID_SESSION), response);
}
Also used :
NotAuthorizedResult(org.summerb.security.api.dto.NotAuthorizedResult)
Aggregations
NotAuthorizedResult (org.summerb.security.api.dto.NotAuthorizedResult)3
AccessDeniedException (org.springframework.security.access.AccessDeniedException)2
NotAuthorizedException (org.summerb.security.api.exceptions.NotAuthorizedException)2
FieldValidationException (org.summerb.validation.FieldValidationException)2
AuthenticationException (org.springframework.security.core.AuthenticationException)1
ModelAndView (org.springframework.web.servlet.ModelAndView)1
CurrentUserNotFoundException (org.summerb.security.api.CurrentUserNotFoundException)1
ExceptionInfo (org.summerb.utils.exceptions.dto.ExceptionInfo)1
GenericServerErrorResult (org.summerb.utils.exceptions.dto.GenericServerErrorResult)1
ValidationErrorsVm (org.summerb.webappboilerplate.model.ValidationErrorsVm)1
