AccessDeniedException and remoting with hessian

**spgmx** · Oct 18th, 2010, 11:38 AM

Hi,

I'm using Acegi Security 1.0.6 for securing a web application.
When a user accesses a protected url which is forbidden for him he gets an AccessDeniedException. Fine.

Code:

org.acegisecurity.AccessDeniedException: Access is denied
	at org.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
	at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:323)
	at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:104)
	at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72)

But when the web app is accessed via hessian and spring remoting the client gets a generic status 500, not 403.

What is the problem here?

Thank you!

Code:

org.springframework.remoting.RemoteAccessException: Cannot access Hessian remote service at [http://]; nested exception is com.caucho.hessian.io.HessianProtocolException: 500: java.io.IOException: Server returned HTTP response code: 500 for URL: http://
	at org.springframework.remoting.caucho.HessianClientInterceptor.convertHessianAccessException(HessianClientInterceptor.java:254)
	at org.springframework.remoting.caucho.HessianClientInterceptor.invoke(HessianClientInterceptor.java:225)
	at com.adp.adpa.test.common.DynamicHessianProxyFactoryBean.invoke(DynamicHessianProxyFactoryBean.java:45)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
	at $Proxy7.addPerson(Unknown Source)
	at com.adp.adpa.test.service.PersonDataManagerTest.testAll(PersonDataManagerTest.java:26)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at junit.framework.TestCase.runTest(TestCase.java:164)
	at junit.framework.TestCase.runBare(TestCase.java:130)
	at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:76)
	at junit.framework.TestResult$1.protect(TestResult.java:106)
	at junit.framework.TestResult.runProtected(TestResult.java:124)
	at junit.framework.TestResult.run(TestResult.java:109)
	at junit.framework.TestCase.run(TestCase.java:120)
	at junit.framework.TestSuite.runTest(TestSuite.java:230)
	at junit.framework.TestSuite.run(TestSuite.java:225)
	at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:130)
	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)
Caused by: com.caucho.hessian.io.HessianProtocolException: 500: java.io.IOException: Server returned HTTP response code: 500 for URL: http://
	at com.caucho.hessian.client.HessianProxy.invoke(HessianProxy.java:185)
	at $Proxy6.addPerson(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.springframework.remoting.caucho.HessianClientInterceptor.invoke(HessianClientInterceptor.java:219)
	... 24 more
Caused by: java.io.IOException: Server returned HTTP response code: 500 for URL: http://
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
	at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1296)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1290)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:944)
	at com.caucho.hessian.client.HessianProxy.invoke(HessianProxy.java:167)
	... 30 more
Caused by: java.io.IOException: Server returned HTTP response code: 500 for URL: http://
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
	at com.caucho.hessian.client.HessianProxy.invoke(HessianProxy.java:158)
	... 30 more

**Luke Taylor** · Oct 19th, 2010, 07:17 AM

A 500 code is a server error, so the output from the client isn't much help in diagnosing it. You'll need to look at the server log.

**spgmx** · Oct 19th, 2010, 07:23 AM

Hello Luke,

thanks for your reply.

The first code block in my post contains the server side stacktrace. My problem is not the exception itself my question is why an AccessDeniedException isn't translated into a http status 403 (Forbidden) but into a generic 500 status. This way the client has no idea why something went wrong.

Thank you

**Luke Taylor** · Oct 19th, 2010, 07:49 AM

You'll need to debug the server side and work out where the 500 code is coming from. The AccessDeniedException won't cause that directly unless you are just propagating it into the container. So something else must be going wrong. Dump the stack trace when the response code is set and make sure there aren't any other exceptions being swallowed by the container, hessian or elsewhere.

**spgmx** · Mar 15th, 2011, 05:34 AM

OK; I got it. I had an AccessDeniedHandler with a JSP Error page. This causes a http status 500.

Now I get 403 - but the problem is that this is translated into a generic IOException in the hessian client (+ HttpUrlConnection):

Code:

Caused by: com.caucho.hessian.client.HessianConnectionException: 403: java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/Test/remoting/Test
	at com.caucho.hessian.client.HessianProxy.invoke(HessianProxy.java:197)
	at $Proxy4.startUpload(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.springframework.remoting.caucho.HessianClientInterceptor.invoke(HessianClientInterceptor.java:222)
	... 34 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/Test/remoting/Test
	at sun.reflect.GeneratedConstructorAccessor21.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
	at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1296)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1290)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:944)
	at com.caucho.hessian.client.HessianProxy.invoke(HessianProxy.java:179)
	... 40 more
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/Test/remoting/Test
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1241)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
	at com.caucho.hessian.client.HessianProxy.invoke(HessianProxy.java:168)
	... 40 more

So I have to parse the message of the IOEXception to get the response code...

Is there a better way to get the 403?

**Luke Taylor** · Mar 15th, 2011, 07:28 AM

How you handle it on the client isn't a Spring Security issue, so you'd be better consulting the relevant documentation for your client or taking it up in an appropriate forum.

**spgmx** · Mar 15th, 2011, 07:44 AM

OK, you are right, no direct Spring Security problem.
Just a problem how the HessianProxy handles response codes other than 200.
Maybe the Spring Remoting team can handle this i a better way.

Same problem with credential expired, account locked etc.
Using hessian I get only a numb 401 and have no clue if the credentials are bad or my account is locked in some way

Thread: AccessDeniedException and remoting with hessian

Thread Tools

Display

AccessDeniedException and remoting with hessian

Posting Permissions