Reply To: security related isuue

Splash Forums Rewrite Users security related isuue Reply To: security related isuue



Hi Lincoln,

Actually it wasn’t my EL, here I’m using the stock one from rewrite-servlet-2.0.6-SNAPSHOT, I’ve removed all of my custom libraries while examining the issue. Actually there’s no need in further study – catching ALL exceptions is generally wrong idea in EE environment, Servlet request isn’t only about pages, it also creates and holds a security context which is propagated along with each and every call to underlying components of an EE server. If a proxy of an EJB finds the security context insufficient for execution, it throws a subclass of an EJBAccessException, which is the subclass of RuntimeException and which finally breaks the execution of a filter/servlet. You could handle such situations via web.xml (error-page) or via exception-handler-factory in JSF, but not when these exceptions are swallowed by the Rewrite.

I see only two options here:
1) don’t catch any exceptions at all, let it be the responsibility of an ExpressionLanguageProvider.
2) don’t catch any runtime exceptions (as I did above), this seems more natural to me, because the RewriteException thrown is also a runtime one. Thus, unless you have a very very special exception handling somewhere deep in your code (which it seems you don’t), there is nothing you lose in this case.

What do you think?