Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2139

Auth mechanism failures (401,403) don't use servlet error pages

XMLWordPrintable

    • Icon: Clarification Clarification
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • Documentation
    • None
    • Seems like recent doc has paragraph pointing to "servlet handlers" at top. Safe to say one can assume mentioned content is not meant for servlet deployments.

      From what I can tell in the code, when I'm using the auth handlers, a request has been marked as requiring authentication, and the auth fails, the exchange ends before the request reaches the servlet, which means any configured error page will not be used.  In my specific example, I'm using the client cert auth mechanism and my `Account verify(Credential credential)` method is returning null to indicate the incoming cert does not meet my requirements.  

      I'm unclear if Undertow's SecurityInitialHandler is specific to the servlet or just a generic Undertow feature, but I need my custom 403 error page to be used in this case.  

       

      Reminder, a while back I sent a pull to add the SendErrorPageHandler() into the servlet handler chain

      https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/core/DeploymentManagerImpl.java#L230

      It automatically sends the any servlet-configured error page, but I'm a little unclear looking at the code if the send error page handler actually execute before or after the security initial handler.

              rhn-cservice-bbaranow Bartosz Baranowski
              bdw429s Brad Wood
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: