How can I return an HTTP 403 status from a web service?

[adamcrume]

I have a Java bean web service which has different required roles per
method. (In one case, the required role even varies depending on the
parameters.) Since this can't be done declaratively, I'm calling
ServletEndpointContext.isUserInRole(String roleName) and throwing a
SecurityException if they're not. This works, but it returns an HTTP
status of 500. I would rather return the more appropriate status
403. Does anyone know how to do this without resorting to tricks like
using a filter and a ThreadLocal?

 

[Dave Miller]

I have a Java bean web service which has different required roles per
method. (In one case, the required role even varies depending on the
parameters.) Since this can't be done declaratively, I'm calling
ServletEndpointContext.isUserInRole(String roleName) and throwing a
SecurityException if they're not. This works, but it returns an HTTP
status of 500. I would rather return the more appropriate status
403. Does anyone know how to do this without resorting to tricks like
using a filter and a ThreadLocal?

Why wouldn't you set the http Status-Line as part of your exception
handling (or off the boolean) rather than filtering?

HttpServletResponse.sendError(int code, String message) sets the headers
that you want to set. If you don't want to set the headers yourself, a
workaround could redirect to a jsp to sendError.

 

[adamcrume]

I can't directly set the HTTP status because all I have access to in
the web service is a javax.xml.rpc.server.ServletEndpointContext and
all that entails. There seems to be no way to get access to the
HttpServletResponse.

If I write a handler, I have access to to a
javax.xml.rpc.handler.MessageContext, but I could already have gotten
that from the ServletEndpointContext.

I tried setting an error page for SecurityException in web.xml, but it
didn't get used. That wouldn't have been acceptable anyway, because I
want the original SOAP body to be returned. I just want to modify the
HTTP status code.

I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
because of my server.

 

[Dave Miller]

I can't directly set the HTTP status because all I have access to in
the web service is a javax.xml.rpc.server.ServletEndpointContext and
all that entails. There seems to be no way to get access to the
HttpServletResponse.

If I write a handler, I have access to to a
javax.xml.rpc.handler.MessageContext, but I could already have gotten
that from the ServletEndpointContext.

I tried setting an error page for SecurityException in web.xml, but it
didn't get used. That wouldn't have been acceptable anyway, because I
want the original SOAP body to be returned. I just want to modify the
HTTP status code.

I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
because of my server.

You can get to HttpServletResponse with a very inelegant workaround
ServletEndpointContext -> ServletContext -> RequestDispatcher -> new
resource to sendError. Instead, is making up a custom 403 page (or
something that looks like one) and returning that an easier option?

BTW, why can't you get JAX-WS?

 

[adamcrume]

I don't see how getting a RequestDispatcher will help. You have to
pass it a request and response; you can't get them from it.

Like I said, my server doesn't support JAX-WS. We're on the latest
release, and I don't have authority to switch server software.

 

[Dave Miller]

OK then, some final thoughts:

1. For groups, please bottom post.
2. RD passes along whatever you give it.
3. I'm out of ideas - good luck with your project.

 

[adamcrume]

<snip>

OK then, some final thoughts:

1. For groups, please bottom post.
2. RD passes along whatever you give it.
3. I'm out of ideas - good luck with your project.

Okay. Thanks for your time and thoughts.

 

[Dave Miller]

No! Bad advice.

Post in line, and trim what you quote.

I may have used the wrong syntax but what I meant was post below the
preceding reply. (like we're doing here). If it doesn't mean that, what
does "bottom post" mean?

 

[Arne Vajhøj]

I may have used the wrong syntax but what I meant was post below the
preceding reply. (like we're doing here). If it doesn't mean that, what
does "bottom post" mean?

I think lew is arguing:

>A re A
>B

re B

over:

>A
>B

re A
re B

Arne

 

[Dave Miller]

Bottom posting: bad. Top-posting: Really evil. Inline posting: proper,
if you trim the quotes.

I got your point from Arnie.

The bottom versus inline bit goes to writing style. Inline is bottom
posting in a point / counterpoint style.

BTW - how are we doing on subject line.