SEC-1635: AfterInvocationManager should not be invoked if an exception occurs #1875

Closed
spring-issuemaster opened this Issue Dec 6, 2010 · 4 comments

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1635) said:

The AfterInvocationManager is intended to perform filtering or make an access decision after an invocation has taken place.

If the invocation raises an exception, then there is no returned object or collection to filter/modify and ability to make an access-decision is likely to be complicated by the lack of those objects (see SEC-1525, for example). Since an exception generally means that the invocation has failed, it's also unlikely that an access-decision is required at that point anyway. Any stateful changes should be rolled back by a transaction manager.

@spring-issuemaster

Luke Taylor said:

Updated the security interceptor implementations to remove the finally block in which the AfterInvocationManager is called.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M2 milestone Feb 5, 2016
@spring-issuemaster

This issue relates to https://jira.spring.io/browse/SEC-1967
This issue supersedes #1766

@spring-issuemaster

This issue relates to https://jira.spring.io/browse/SEC-1967
This issue supersedes #1766

@spring-issuemaster

This issue relates to https://jira.spring.io/browse/SEC-1967
This issue supersedes #1766

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment