How can I return an HTTP 403 status from a web service?

Discussion in 'Java' started by adamcrume@gmail.com, Jun 16, 2008.

  1. Guest

    I have a Java bean web service which has different required roles per
    method. (In one case, the required role even varies depending on the
    parameters.) Since this can't be done declaratively, I'm calling
    ServletEndpointContext.isUserInRole(String roleName) and throwing a
    SecurityException if they're not. This works, but it returns an HTTP
    status of 500. I would rather return the more appropriate status
    403. Does anyone know how to do this without resorting to tricks like
    using a filter and a ThreadLocal?
     
    , Jun 16, 2008
    #1
    1. Advertising

  2. Dave Miller Guest

    wrote:
    > I have a Java bean web service which has different required roles per
    > method. (In one case, the required role even varies depending on the
    > parameters.) Since this can't be done declaratively, I'm calling
    > ServletEndpointContext.isUserInRole(String roleName) and throwing a
    > SecurityException if they're not. This works, but it returns an HTTP
    > status of 500. I would rather return the more appropriate status
    > 403. Does anyone know how to do this without resorting to tricks like
    > using a filter and a ThreadLocal?


    Why wouldn't you set the http Status-Line as part of your exception
    handling (or off the boolean) rather than filtering?

    HttpServletResponse.sendError(int code, String message) sets the headers
    that you want to set. If you don't want to set the headers yourself, a
    workaround could redirect to a jsp to sendError.

    --
    Dave Miller
    Java Web Hosting at:
    http://www.cheap-jsp-hosting.com/
     
    Dave Miller, Jun 17, 2008
    #2
    1. Advertising

  3. Guest

    I can't directly set the HTTP status because all I have access to in
    the web service is a javax.xml.rpc.server.ServletEndpointContext and
    all that entails. There seems to be no way to get access to the
    HttpServletResponse.

    If I write a handler, I have access to to a
    javax.xml.rpc.handler.MessageContext, but I could already have gotten
    that from the ServletEndpointContext.

    I tried setting an error page for SecurityException in web.xml, but it
    didn't get used. That wouldn't have been acceptable anyway, because I
    want the original SOAP body to be returned. I just want to modify the
    HTTP status code.

    I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
    because of my server.

    Dave Miller wrote:
    > wrote:
    > > I have a Java bean web service which has different required roles per
    > > method. (In one case, the required role even varies depending on the
    > > parameters.) Since this can't be done declaratively, I'm calling
    > > ServletEndpointContext.isUserInRole(String roleName) and throwing a
    > > SecurityException if they're not. This works, but it returns an HTTP
    > > status of 500. I would rather return the more appropriate status
    > > 403. Does anyone know how to do this without resorting to tricks like
    > > using a filter and a ThreadLocal?

    >
    > Why wouldn't you set the http Status-Line as part of your exception
    > handling (or off the boolean) rather than filtering?
    >
    > HttpServletResponse.sendError(int code, String message) sets the headers
    > that you want to set. If you don't want to set the headers yourself, a
    > workaround could redirect to a jsp to sendError.
    >
    > --
    > Dave Miller
    > Java Web Hosting at:
    > http://www.cheap-jsp-hosting.com/
     
    , Jun 17, 2008
    #3
  4. Dave Miller Guest

    wrote:
    > I can't directly set the HTTP status because all I have access to in
    > the web service is a javax.xml.rpc.server.ServletEndpointContext and
    > all that entails. There seems to be no way to get access to the
    > HttpServletResponse.
    >
    > If I write a handler, I have access to to a
    > javax.xml.rpc.handler.MessageContext, but I could already have gotten
    > that from the ServletEndpointContext.
    >
    > I tried setting an error page for SecurityException in web.xml, but it
    > didn't get used. That wouldn't have been acceptable anyway, because I
    > want the original SOAP body to be returned. I just want to modify the
    > HTTP status code.
    >
    > I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
    > because of my server.
    >
    > Dave Miller wrote:
    >> wrote:
    >>> I have a Java bean web service which has different required roles per
    >>> method. (In one case, the required role even varies depending on the
    >>> parameters.) Since this can't be done declaratively, I'm calling
    >>> ServletEndpointContext.isUserInRole(String roleName) and throwing a
    >>> SecurityException if they're not. This works, but it returns an HTTP
    >>> status of 500. I would rather return the more appropriate status
    >>> 403. Does anyone know how to do this without resorting to tricks like
    >>> using a filter and a ThreadLocal?

    >> Why wouldn't you set the http Status-Line as part of your exception
    >> handling (or off the boolean) rather than filtering?
    >>
    >> HttpServletResponse.sendError(int code, String message) sets the headers
    >> that you want to set. If you don't want to set the headers yourself, a
    >> workaround could redirect to a jsp to sendError.
    >>
    >> --
    >> Dave Miller
    >> Java Web Hosting at:
    >> http://www.cheap-jsp-hosting.com/

    You can get to HttpServletResponse with a very inelegant workaround
    ServletEndpointContext -> ServletContext -> RequestDispatcher -> new
    resource to sendError. Instead, is making up a custom 403 page (or
    something that looks like one) and returning that an easier option?

    BTW, why can't you get JAX-WS?

    --
    Dave Miller
    Java Web Hosting at:
    http://www.cheap-jsp-hosting.com/
     
    Dave Miller, Jun 17, 2008
    #4
  5. Guest

    I don't see how getting a RequestDispatcher will help. You have to
    pass it a request and response; you can't get them from it.

    Like I said, my server doesn't support JAX-WS. We're on the latest
    release, and I don't have authority to switch server software.

    On Jun 17, 9:34 am, Dave Miller <> wrote:
    > wrote:
    > > I can't directly set the HTTP status because all I have access to in
    > > the web service is a javax.xml.rpc.server.ServletEndpointContext and
    > > all that entails. There seems to be no way to get access to the
    > > HttpServletResponse.

    >
    > > If I write a handler, I have access to to a
    > > javax.xml.rpc.handler.MessageContext, but I could already have gotten
    > > that from the ServletEndpointContext.

    >
    > > I tried setting an error page for SecurityException in web.xml, but it
    > > didn't get used. That wouldn't have been acceptable anyway, because I
    > > want the original SOAP body to be returned. I just want to modify the
    > > HTTP status code.

    >
    > > I forgot to mention, but I'm using JAX-RPC. JAX-WS is not an option
    > > because of my server.

    >
    > > Dave Miller wrote:
    > >> wrote:
    > >>> I have a Java bean web service which has different required roles per
    > >>> method. (In one case, the required role even varies depending on the
    > >>> parameters.) Since this can't be done declaratively, I'm calling
    > >>> ServletEndpointContext.isUserInRole(String roleName) and throwing a
    > >>> SecurityException if they're not. This works, but it returns an HTTP
    > >>> status of 500. I would rather return the more appropriate status
    > >>> 403. Does anyone know how to do this without resorting to tricks like
    > >>> using a filter and a ThreadLocal?
    > >> Why wouldn't you set the http Status-Line as part of your exception
    > >> handling (or off the boolean) rather than filtering?

    >
    > >> HttpServletResponse.sendError(int code, String message) sets the headers
    > >> that you want to set. If you don't want to set the headers yourself, a
    > >> workaround could redirect to a jsp to sendError.

    >
    > >> --
    > >> Dave Miller
    > >> Java Web Hosting at:
    > >>http://www.cheap-jsp-hosting.com/

    >
    > You can get to HttpServletResponse with a very inelegant workaround
    > ServletEndpointContext -> ServletContext -> RequestDispatcher -> new
    > resource to sendError. Instead, is making up a custom 403 page (or
    > something that looks like one) and returning that an easier option?
    >
    > BTW, why can't you get JAX-WS?
    >
    > --
    > Dave Miller
    > Java Web Hosting at:http://www.cheap-jsp-hosting.com/
     
    , Jun 17, 2008
    #5
  6. Dave Miller Guest

    <snip>
    >

    OK then, some final thoughts:

    1. For groups, please bottom post.
    2. RD passes along whatever you give it.
    3. I'm out of ideas - good luck with your project.

    --
    Dave Miller
    Java Web Hosting at:
    http://www.cheap-jsp-hosting.com/
     
    Dave Miller, Jun 17, 2008
    #6
  7. Guest

    On Jun 17, 10:49 am, Dave Miller <> wrote:
    > <snip>
    >
    > OK then, some final thoughts:
    >
    > 1. For groups, please bottom post.
    > 2. RD passes along whatever you give it.
    > 3. I'm out of ideas - good luck with your project.
    >
    > --
    > Dave Miller
    > Java Web Hosting at:http://www.cheap-jsp-hosting.com/


    Okay. Thanks for your time and thoughts.
     
    , Jun 17, 2008
    #7
  8. Dave Miller Guest

    Lew wrote:
    > Dave Miller wrote:
    >> 1. For groups, please bottom post.

    >
    > No! Bad advice.
    >
    > Post in line, and trim what you quote.
    >

    I may have used the wrong syntax but what I meant was post below the
    preceding reply. (like we're doing here). If it doesn't mean that, what
    does "bottom post" mean?

    --
    Dave Miller
    Java Web Hosting at:
    http://www.cheap-jsp-hosting.com/
     
    Dave Miller, Jun 18, 2008
    #8
  9. Dave Miller wrote:
    > Lew wrote:
    >> Dave Miller wrote:
    >>> 1. For groups, please bottom post.

    >>
    >> No! Bad advice.
    >>
    >> Post in line, and trim what you quote.
    >>

    > I may have used the wrong syntax but what I meant was post below the
    > preceding reply. (like we're doing here). If it doesn't mean that, what
    > does "bottom post" mean?


    I think lew is arguing:

    >A

    re A
    >B

    re B

    over:

    >A
    >B

    re A
    re B

    Arne
     
    Arne Vajhøj, Jun 18, 2008
    #9
  10. Dave Miller Guest

    Lew wrote:

    > Bottom posting: bad. Top-posting: Really evil. Inline posting: proper,
    > if you trim the quotes.


    I got your point from Arnie.

    The bottom versus inline bit goes to writing style. Inline is bottom
    posting in a point / counterpoint style.

    BTW - how are we doing on subject line.

    --
    Dave Miller
    Java Web Hosting at:
    http://www.cheap-jsp-hosting.com/
     
    Dave Miller, Jun 18, 2008
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Baohua Li

    The request failed with HTTP status 403: Access Forbidden

    Baohua Li, Feb 6, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    150
    Baohua Li
    Feb 6, 2004
  2. cmay
    Replies:
    3
    Views:
    248
  3. willem joubert

    Error 403-Error 403-Error 403

    willem joubert, Feb 8, 2005, in forum: ASP .Net Web Services
    Replies:
    1
    Views:
    185
    Bruce Johnson [C# MVP]
    Feb 8, 2005
  4. Amit
    Replies:
    5
    Views:
    282
  5. karlag92
    Replies:
    1
    Views:
    320
    John Saunders [MVP]
    Jun 26, 2007
Loading...

Share This Page