Permalink
Browse files

When RESTXQ detects a security error, it should not fail with a 500.

Instead initiate a basic auth handshake (401), so that the
user can retry the request with the correct level or authorisation.
  • Loading branch information...
1 parent eecd931 commit bbb549fc3e09ea5a6a77b4ef60d16092ca326c82 @Infiniverse Infiniverse committed Jan 27, 2014
View
12 .../exquery/restxq/src/main/java/org/exist/extensions/exquery/restxq/impl/RestXqServlet.java
@@ -36,6 +36,8 @@
import org.exist.extensions.exquery.restxq.impl.adapters.HttpServletRequestAdapter;
import org.exist.extensions.exquery.restxq.impl.adapters.HttpServletResponseAdapter;
import org.exist.http.servlets.AbstractExistHttpServlet;
+import org.exist.http.servlets.BasicAuthenticator;
+import org.exist.security.PermissionDeniedException;
import org.exist.security.Subject;
import org.exist.storage.DBBroker;
import org.exist.util.Configuration;
@@ -114,9 +116,13 @@ public String getCacheClass() {
getLog().error(ee.getMessage(), ee);
throw new ServletException(ee.getMessage(), ee);
} catch(RestXqServiceException rqse) {
- //TODO should probably be caught higher up and returned as a HTTP Response? maybe need two different types of exception to differentiate critical vs processing exception
- getLog().error(rqse.getMessage(), rqse);
- throw new ServletException(rqse.getMessage(), rqse);
+ if (rqse.getCause() instanceof PermissionDeniedException) {
+ new BasicAuthenticator(null).sendChallenge(request, response);
+ } else {
+ //TODO should probably be caught higher up and returned as a HTTP Response? maybe need two different types of exception to differentiate critical vs processing exception
+ getLog().error(rqse.getMessage(), rqse);
+ throw new ServletException(rqse.getMessage(), rqse);
+ }
} finally {
if(broker != null) {
getPool().release(broker);

0 comments on commit bbb549f

Please sign in to comment.