Fixing SEAMFACES-126

Logging a warning instead of an exception. This is really a configuration issue. A 401 is actually the correct thing to do if there is no configured page. Also wrapping any output in an if statement to make sure we don't send any of our output if the users have already pushed things out to the output stream.
seam · Aug 25, 2011 · c09fe7e · c09fe7e
1 parent 1277f99
commit c09fe7e
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/impl/src/main/java/org/jboss/seam/faces/security/SecurityPhaseListener.java b/impl/src/main/java/org/jboss/seam/faces/security/SecurityPhaseListener.java
@@ -327,18 +327,21 @@ private void redirectToLoginPage(FacesContext context, UIViewRoot viewRoot) {
      * @param viewRoot
      */
     private void redirectToAccessDeniedView(FacesContext context, UIViewRoot viewRoot) {
-        AccessDeniedView accessDeniedView = viewConfigStore.getAnnotationData(viewRoot.getViewId(), AccessDeniedView.class);
-        if (accessDeniedView == null || accessDeniedView.value() == null || accessDeniedView.value().isEmpty()) {
-            log.debug("Returning 401 response (access denied)");
-            context.getExternalContext().setResponseStatus(401);
-            context.responseComplete();
-            return;
+        // If a user has already done a redirect and rendered the response (possibly in an observer) we cannot do this output
+        if (!(context.getResponseComplete() || context.getRenderResponse())) {
+            AccessDeniedView accessDeniedView = viewConfigStore.getAnnotationData(viewRoot.getViewId(), AccessDeniedView.class);
+            if (accessDeniedView == null || accessDeniedView.value() == null || accessDeniedView.value().isEmpty()) {
+                log.warn("No AccessDeniedView is configured, returning 401 response (access denied). Please configure an AccessDeniedView in the ViewConfig.");
+                context.getExternalContext().setResponseStatus(401);
+                context.responseComplete();
+                return;
+            }
+            String accessDeniedViewId = accessDeniedView.value();
+            log.debugf("Redirecting to configured AccessDenied %s", accessDeniedViewId);
+            NavigationHandler navHandler = context.getApplication().getNavigationHandler();
+            navHandler.handleNavigation(context, "", accessDeniedViewId);
+            context.renderResponse();
         }
-        String accessDeniedViewId = accessDeniedView.value();
-        log.debugf("Redirecting to configured AccessDenied %s", accessDeniedViewId);
-        NavigationHandler navHandler = context.getApplication().getNavigationHandler();
-        navHandler.handleNavigation(context, "", accessDeniedViewId);
-        context.renderResponse();
     }
 
     /**