What's available after access denied?

[pburleson]

I haven't dug too deep into this yet, but I was wonder what information was still available after an "Access Denied" decision? Is the Authentication object still available?

Reason being, I want to log in the database the fact that someone attempted to access a loction they were not granted access to.

My gut tells me the authentication object is still there, but I just wanted to get some confirmation.

Thanks,
Patrick

[pburleson]

I haven't dug too deep into this yet, but I was wonder what information was still available after an "Access Denied" decision? Is the Authentication object still available?

Reason being, I want to log in the database the fact that someone attempted to access a loction they were not granted access to.

My gut tells me the authentication object is still there, but I just wanted to get some confirmation.

Thanks,
Patrick

Well, my gut was wrong...I see that the Authentication object is removed from the SecureContext before giving an access denied error.

Hmm, is the Authenticated object still in the "Well Known Location" in the session? Somewhat of a rhetorical question as I'm about to find out.

Patrick

[Ben Alex]

Yes, the Authentication will still be available in the well-known location.

I've added to my TODO list to put the AccessDeniedException into the HttpSession, so you can display the line number etc on the SC_FORBIDDEN (403) page.

[pburleson]

Thanks Ben.

I probably shouldn't have even asked the question without experimenting a little. I was definitely able to get the Authentication object.

Patrick

[Ben Alex]

I've just committed this change to SecurityEnforcementFilter to CVS.