Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > How can I return an HTTP 403 status from a web service?

Reply
Thread Tools

How can I return an HTTP 403 status from a web service?

 
 
adamcrume@gmail.com
Guest
Posts: n/a
 
      06-16-2008
I have a Java bean web service which has different required roles per
method. (In one case, the required role even varies depending on the
parameters.) Since this can't be done declaratively, I'm calling
ServletEndpointContext.isUserInRole(String roleName) and throwing a
SecurityException if they're not. This works, but it returns an HTTP
status of 500. I would rather return the more appropriate status
403. Does anyone know how to do this without resorting to tricks like
using a filter and a ThreadLocal?
 
Reply With Quote
 
 
 
 
Dave Miller
Guest
Posts: n/a
 
      06-17-2008
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> I have a Java bean web service which has different required roles per
> method. (In one case, the required role even varies depending on the
> parameters.) Since this can't be done declaratively, I'm calling
> ServletEndpointContext.isUserInRole(String roleName) and throwing a
> SecurityException if they're not. This works, but it returns an HTTP
> status of 500. I would rather return the more appropriate status
> 403. Does anyone know how to do this without resorting to tricks like
> using a filter and a ThreadLocal?


Why wouldn't you set the http Status-Line as part of your exception
handling (or off the boolean) rather than filtering?

HttpServletResponse.sendError(int code, String message) sets the headers
that you want to set. If you don't want to set the headers yourself, a
workaround could redirect to a jsp to sendError.

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/
 
Reply With Quote
 
 
 
 
adamcrume@gmail.com
Guest
Posts: n/a
 
      06-17-2008
I can't directly set the HTTP status because all I have access to in
the web service is a javax.xml.rpc.server.ServletEndpointContext and
all that entails. There seems to be no way to get access to the
HttpServletResponse.

If I write a handler, I have access to to a
javax.xml.rpc.handler.MessageContext, but I could already have gotten
that from the ServletEndpointContext.

I tried setting an error page for SecurityException in web.xml, but it
didn't get used. That wouldn't have been acceptable anyway, because I
want the original SOAP body to be returned. I just want to modify the
HTTP status code.

I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
because of my server.

Dave Miller wrote:
> (E-Mail Removed) wrote:
> > I have a Java bean web service which has different required roles per
> > method. (In one case, the required role even varies depending on the
> > parameters.) Since this can't be done declaratively, I'm calling
> > ServletEndpointContext.isUserInRole(String roleName) and throwing a
> > SecurityException if they're not. This works, but it returns an HTTP
> > status of 500. I would rather return the more appropriate status
> > 403. Does anyone know how to do this without resorting to tricks like
> > using a filter and a ThreadLocal?

>
> Why wouldn't you set the http Status-Line as part of your exception
> handling (or off the boolean) rather than filtering?
>
> HttpServletResponse.sendError(int code, String message) sets the headers
> that you want to set. If you don't want to set the headers yourself, a
> workaround could redirect to a jsp to sendError.
>
> --
> Dave Miller
> Java Web Hosting at:
> http://www.cheap-jsp-hosting.com/

 
Reply With Quote
 
Dave Miller
Guest
Posts: n/a
 
      06-17-2008
(E-Mail Removed) wrote:
> I can't directly set the HTTP status because all I have access to in
> the web service is a javax.xml.rpc.server.ServletEndpointContext and
> all that entails. There seems to be no way to get access to the
> HttpServletResponse.
>
> If I write a handler, I have access to to a
> javax.xml.rpc.handler.MessageContext, but I could already have gotten
> that from the ServletEndpointContext.
>
> I tried setting an error page for SecurityException in web.xml, but it
> didn't get used. That wouldn't have been acceptable anyway, because I
> want the original SOAP body to be returned. I just want to modify the
> HTTP status code.
>
> I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
> because of my server.
>
> Dave Miller wrote:
>> (E-Mail Removed) wrote:
>>> I have a Java bean web service which has different required roles per
>>> method. (In one case, the required role even varies depending on the
>>> parameters.) Since this can't be done declaratively, I'm calling
>>> ServletEndpointContext.isUserInRole(String roleName) and throwing a
>>> SecurityException if they're not. This works, but it returns an HTTP
>>> status of 500. I would rather return the more appropriate status
>>> 403. Does anyone know how to do this without resorting to tricks like
>>> using a filter and a ThreadLocal?

>> Why wouldn't you set the http Status-Line as part of your exception
>> handling (or off the boolean) rather than filtering?
>>
>> HttpServletResponse.sendError(int code, String message) sets the headers
>> that you want to set. If you don't want to set the headers yourself, a
>> workaround could redirect to a jsp to sendError.
>>
>> --
>> Dave Miller
>> Java Web Hosting at:
>> http://www.cheap-jsp-hosting.com/

You can get to HttpServletResponse with a very inelegant workaround
ServletEndpointContext -> ServletContext -> RequestDispatcher -> new
resource to sendError. Instead, is making up a custom 403 page (or
something that looks like one) and returning that an easier option?

BTW, why can't you get JAX-WS?

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/
 
Reply With Quote
 
adamcrume@gmail.com
Guest
Posts: n/a
 
      06-17-2008
I don't see how getting a RequestDispatcher will help. You have to
pass it a request and response; you can't get them from it.

Like I said, my server doesn't support JAX-WS. We're on the latest
release, and I don't have authority to switch server software.

On Jun 17, 9:34 am, Dave Miller <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > I can't directly set the HTTP status because all I have access to in
> > the web service is a javax.xml.rpc.server.ServletEndpointContext and
> > all that entails. There seems to be no way to get access to the
> > HttpServletResponse.

>
> > If I write a handler, I have access to to a
> > javax.xml.rpc.handler.MessageContext, but I could already have gotten
> > that from the ServletEndpointContext.

>
> > I tried setting an error page for SecurityException in web.xml, but it
> > didn't get used. That wouldn't have been acceptable anyway, because I
> > want the original SOAP body to be returned. I just want to modify the
> > HTTP status code.

>
> > I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
> > because of my server.

>
> > Dave Miller wrote:
> >> (E-Mail Removed) wrote:
> >>> I have a Java bean web service which has different required roles per
> >>> method. (In one case, the required role even varies depending on the
> >>> parameters.) Since this can't be done declaratively, I'm calling
> >>> ServletEndpointContext.isUserInRole(String roleName) and throwing a
> >>> SecurityException if they're not. This works, but it returns an HTTP
> >>> status of 500. I would rather return the more appropriate status
> >>> 403. Does anyone know how to do this without resorting to tricks like
> >>> using a filter and a ThreadLocal?
> >> Why wouldn't you set the http Status-Line as part of your exception
> >> handling (or off the boolean) rather than filtering?

>
> >> HttpServletResponse.sendError(int code, String message) sets the headers
> >> that you want to set. If you don't want to set the headers yourself, a
> >> workaround could redirect to a jsp to sendError.

>
> >> --
> >> Dave Miller
> >> Java Web Hosting at:
> >>http://www.cheap-jsp-hosting.com/

>
> You can get to HttpServletResponse with a very inelegant workaround
> ServletEndpointContext -> ServletContext -> RequestDispatcher -> new
> resource to sendError. Instead, is making up a custom 403 page (or
> something that looks like one) and returning that an easier option?
>
> BTW, why can't you get JAX-WS?
>
> --
> Dave Miller
> Java Web Hosting at:http://www.cheap-jsp-hosting.com/


 
Reply With Quote
 
Dave Miller
Guest
Posts: n/a
 
      06-17-2008
<snip>
>

OK then, some final thoughts:

1. For groups, please bottom post.
2. RD passes along whatever you give it.
3. I'm out of ideas - good luck with your project.

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/
 
Reply With Quote
 
adamcrume@gmail.com
Guest
Posts: n/a
 
      06-17-2008
On Jun 17, 10:49 am, Dave Miller <(E-Mail Removed)> wrote:
> <snip>
>
> OK then, some final thoughts:
>
> 1. For groups, please bottom post.
> 2. RD passes along whatever you give it.
> 3. I'm out of ideas - good luck with your project.
>
> --
> Dave Miller
> Java Web Hosting at:http://www.cheap-jsp-hosting.com/


Okay. Thanks for your time and thoughts.
 
Reply With Quote
 
Dave Miller
Guest
Posts: n/a
 
      06-18-2008
Lew wrote:
> Dave Miller wrote:
>> 1. For groups, please bottom post.

>
> No! Bad advice.
>
> Post in line, and trim what you quote.
>

I may have used the wrong syntax but what I meant was post below the
preceding reply. (like we're doing here). If it doesn't mean that, what
does "bottom post" mean?

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/
 
Reply With Quote
 
Arne Vajhøj
Guest
Posts: n/a
 
      06-18-2008
Dave Miller wrote:
> Lew wrote:
>> Dave Miller wrote:
>>> 1. For groups, please bottom post.

>>
>> No! Bad advice.
>>
>> Post in line, and trim what you quote.
>>

> I may have used the wrong syntax but what I meant was post below the
> preceding reply. (like we're doing here). If it doesn't mean that, what
> does "bottom post" mean?


I think lew is arguing:

>A

re A
>B

re B

over:

>A
>B

re A
re B

Arne
 
Reply With Quote
 
Dave Miller
Guest
Posts: n/a
 
      06-18-2008
Lew wrote:

> Bottom posting: bad. Top-posting: Really evil. Inline posting: proper,
> if you trim the quotes.


I got your point from Arnie.

The bottom versus inline bit goes to writing style. Inline is bottom
posting in a point / counterpoint style.

BTW - how are we doing on subject line.

--
Dave Miller
Java Web Hosting at:
http://www.cheap-jsp-hosting.com/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Can't see pictures + Http Status 403 : Access Forbidden (error) Amit ASP .Net Web Services 5 05-17-2006 07:29 AM
Error 403-Error 403-Error 403 willem joubert ASP .Net Web Services 1 02-08-2005 06:47 PM
Getting "The request failed with HTTP status 403: Error" ?? cmay ASP .Net Web Services 3 01-10-2005 03:34 PM
The request failed with HTTP status 403: Access Forbidden Baohua Li ASP .Net Web Services 0 02-06-2004 07:05 PM



Advertisments