Exceptions in Custom AuthFilter

[Tobia]

Hello everyone,
i want to use spring security for my application.
I have to merge Springsec with my custom SSO that works with a web service.

I thought to create a custom filter to add to the ss chain.

Code:

<sec:http entry-point-ref="authenticationEntryPoint" use-expressions="true">
<sec:custom-filter before="PRE_AUTH_FILTER" ref="authenticationFilter" />
<sec:access-denied-handler ref="accessDeniedHandler" />
</sec:http>

My authenticationFilter provide to call the sso webservice and add grantedauthoritys to the authentication.

I have a little trouble when an exception is thrown by my sso service. I would like to send the user to the exception handler but it just send it to the servelt and i get a raw 500 internal server error.
I also tried to catch the exception and throw a AccessDeniedException, but it is the same.
What i miss?

thank you.

[Luke Taylor]

The AccessDeniedHandler applies to a later stage in the filter chain. It won't handle exceptions thrown from your filter.

Either customize your filter to catch exceptions or set up an error-page declaration for the 500 code in your web.xml (which you should probably do anyway, since end users should never see exceptions).

[Tobia]

But do you think that my auth flow is not correct?
Thanks.

[Luke Taylor]

But do you think that my auth flow is not correct?
Thanks.

No, but as I said the AccessDeniedHandler won't handle exceptions from your filter. It is a strategy used by the ExceptionTranslationFilter.

[Tobia]

Ok, i understand. But I would know if I could build a better chain with a external ws/sso.

Thank you. bye.

[Tobia]

I add the 500 error code, but in my error JSP can I print the exception trace?
How to access the exception?

Thank you.

[Tobia]

Can I also send different Error code instead of 500? Example an 401 for not authenticated? How to do this?

Thank you.