Reply To: security related isuue
Actually it wasn’t my
EL, here I’m using the stock one from
rewrite-servlet-2.0.6-SNAPSHOT, I’ve removed all of my custom libraries while examining the issue. Actually there’s no need in further study – catching ALL exceptions is generally wrong idea in EE environment, Servlet request isn’t only about pages, it also creates and holds a security context which is propagated along with each and every call to underlying components of an EE server. If a proxy of an EJB finds the security context insufficient for execution, it throws a subclass of an
EJBAccessException, which is the subclass of
RuntimeException and which finally breaks the execution of a filter/servlet. You could handle such situations via
web.xml (error-page) or via
exception-handler-factory in JSF, but not when these exceptions are swallowed by the Rewrite.
I see only two options here:
1) don’t catch any exceptions at all, let it be the responsibility of an
2) don’t catch any runtime exceptions (as I did above), this seems more natural to me, because the
RewriteException thrown is also a runtime one. Thus, unless you have a very very special exception handling somewhere deep in your code (which it seems you don’t), there is nothing you lose in this case.
What do you think?