RESTHandler and Declarative Security failure

claudiobosticco

Registered Developer

Join Date: Sep 2008
Posts: 2368

RESTHandler and Declarative Security failure

19 Sep 2019, 08:02

SmartClient Version: SNAPSHOT_v12.1d_2019-09-12/Enterprise Deployment (built 2019-09-12)

Hello, I've got a RESTHandler, where I override the handleDSRequest method and set authentication and user roles, based on various conditions:

Code:

rpc.setAuthenticated(Boolean.TRUE);
rpc.setUserRoles("ROLE_USER");

I've just noticed that when the request fails a declarative security check (ie on a requiresRole):

Code:

2019-09-19 17:32:48,248 WARN  RequestContext dsRequest.execute() failed:  
java.lang.SecurityException: DataSource 'JPC_COMUNI', operationType 'fetch', operationId 'fetchCliente'.  This operation requires role(s) 'ROLE_FOO'. This user fails the role check.
    at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:2725)
    at com.isomorphic.servlet.RESTHandler.handleDSRequest(RESTHandler.java:826)
    at com.isomorphic.servlet.RESTHandler.processRestTransaction(RESTHandler.java:716)
    at com.juve.legend.rest.LegendRestHandler.processRestTransaction(LegendRestHandler.java:78)
    at com.isomorphic.servlet.RESTHandler.processRequest(RESTHandler.java:587)
    at com.juve.legend.rest.LegendRestHandler.processRequest(LegendRestHandler.java:71)
    at com.isomorphic.servlet.RESTHandler.doGet(RESTHandler.java:488)
    at com.juve.legend.rest.LegendRestHandler.doGet(LegendRestHandler.java:65)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
    at com.isomorphic.servlet.BaseServlet.service(BaseServlet.java:180)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:200)
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.juve.utils.Log4jSessionFilter.doFilter(Log4jSessionFilter.java:84)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:163)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.isomorphic.js.JSSyntaxScannerFilter._doFilter(JSSyntaxScannerFilter.java:262)
    at com.isomorphic.servlet.BaseFilter.doFilter(BaseFilter.java:90)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at com.isomorphic.servlet.CompressionFilter._doFilter(CompressionFilter.java:260)
    at com.isomorphic.servlet.BaseFilter.doFilter(BaseFilter.java:90)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

the returned dsResponse contains a status = -1. I was expecting a STATUS_AUTHORIZATION_FAILURE (-3). Is it expected behaviour?

Tags: None

Isomorphic

Administrator

Join Date: May 2006

Posts: 53963
#2

25 Sep 2019, 10:01

This should be fixed back to SC 11.1p as of today's nightly builds dated 2019-09-25.
Comment
claudiobosticco

Registered Developer

Join Date: Sep 2008

Posts: 2368
#3

27 Sep 2019, 07:52

SNAPSHOT_v12.1d_2019-09-26/Enterprise Deployment

I can confirm it's fixed, thank you very much
Comment

Previous template Next

Announcement

RESTHandler and Declarative Security failure

Comment

Comment