From c09fe7ef75a9dab68a775287c35f31fcd491c8ed Mon Sep 17 00:00:00 2001
From: LightGuard <lightguard.jp@gmail.com>
Date: Thu, 25 Aug 2011 15:57:25 -0600
Subject: [PATCH] Fixing SEAMFACES-126

Logging a warning instead of an exception. This is really a
configuration issue. A 401 is actually the correct thing to do if there
is no configured page.

Also wrapping any output in an if statement to make sure we don't send
any of our output if the users have already pushed things out to the
output stream.
---
 .../faces/security/SecurityPhaseListener.java | 25 +++++++++++--------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/impl/src/main/java/org/jboss/seam/faces/security/SecurityPhaseListener.java b/impl/src/main/java/org/jboss/seam/faces/security/SecurityPhaseListener.java
index 013ab7f..36f8145 100644
--- a/impl/src/main/java/org/jboss/seam/faces/security/SecurityPhaseListener.java
+++ b/impl/src/main/java/org/jboss/seam/faces/security/SecurityPhaseListener.java
@@ -327,18 +327,21 @@ private void redirectToLoginPage(FacesContext context, UIViewRoot viewRoot) {
      * @param viewRoot
      */
     private void redirectToAccessDeniedView(FacesContext context, UIViewRoot viewRoot) {
-        AccessDeniedView accessDeniedView = viewConfigStore.getAnnotationData(viewRoot.getViewId(), AccessDeniedView.class);
-        if (accessDeniedView == null || accessDeniedView.value() == null || accessDeniedView.value().isEmpty()) {
-            log.debug("Returning 401 response (access denied)");
-            context.getExternalContext().setResponseStatus(401);
-            context.responseComplete();
-            return;
+        // If a user has already done a redirect and rendered the response (possibly in an observer) we cannot do this output
+        if (!(context.getResponseComplete() || context.getRenderResponse())) {
+            AccessDeniedView accessDeniedView = viewConfigStore.getAnnotationData(viewRoot.getViewId(), AccessDeniedView.class);
+            if (accessDeniedView == null || accessDeniedView.value() == null || accessDeniedView.value().isEmpty()) {
+                log.warn("No AccessDeniedView is configured, returning 401 response (access denied). Please configure an AccessDeniedView in the ViewConfig.");
+                context.getExternalContext().setResponseStatus(401);
+                context.responseComplete();
+                return;
+            }
+            String accessDeniedViewId = accessDeniedView.value();
+            log.debugf("Redirecting to configured AccessDenied %s", accessDeniedViewId);
+            NavigationHandler navHandler = context.getApplication().getNavigationHandler();
+            navHandler.handleNavigation(context, "", accessDeniedViewId);
+            context.renderResponse();
         }
-        String accessDeniedViewId = accessDeniedView.value();
-        log.debugf("Redirecting to configured AccessDenied %s", accessDeniedViewId);
-        NavigationHandler navHandler = context.getApplication().getNavigationHandler();
-        navHandler.handleNavigation(context, "", accessDeniedViewId);
-        context.renderResponse();
     }
 
     /**