Hi,
I am looking into an issue where the catalog security throws a security exception, and the user gets back a 500 instead
of the intended 401.
After much fiddling I’ve found that the RestControllerAdvice in gs-rest acts as a catch-all, it advices all controllers, including
the OWS one, and has an exception handler method catching “Exception”:
Now, my first reaction was that this advice should not be messing with the OWS controller… however, there is no way to map
an exclude, but only to give a set of classes (or base classes) that should be adviced… and that was my first attempt.
Problem, while most REST controllers extend RestBaseController, not all do, and there is no requirement to do so.
To just fix the build one would have to alter 3-4 controllers to extend RestBaseController but… in theory we’d have to go
and check each one of them.
So I went for a plan B, catch all security exceptions in a dedicated handling method, and rethrow them. Much smaller change,
appears to work. For reference, here:
https://github.com/geoserver/geoserver/pull/3476
However… there is still a catch. If the advice applies to all Spring dispatchers, including the OWS one, any exception going
out from there would be caught by RestControllerAdvice and reported to the REST callbacks. It’s unlikely but not impossible.
Hmm… comments?
Also, a bit of a rant if I can, these approaches based on annotations look nice when coding them, but one never knows where
the side effects end up, while with XML hand wiring we get better control (see also the mapml module breaking REST completely).
I guess we should try to discourage using annotations in a project as large and complex as GeoServer?
Cheers
Andrea
···
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.