[FLOW3-general] Difference between AccessDenied and AuthenticationRequired exceptions
Andreas Wolf
andreas.wolf at typo3.org
Tue Apr 9 14:33:36 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I'm currently working on the security concept for one of our web
applications and I'm currently struggling with the access decision
management.
I mainly don't get the difference between AccessDenied and
AuthenticationRequired exceptions, and their usage throughout Flow
seems inconsistent.
- From my perspective, there are two possible cases when access to a
restricted resource is requested:
a) no user is not logged in (= no token is authenticated, i.e. the
security context does not have an account attached to it)
=> the user should be prompted for a login
b) a user is logged in, but the policies forbid to access the
resource. This can usually not be circumvented by another login, so
=> access should be denied for the user
As far as I see, in case a) the correct exception would be
"AuthenticationRequired", for b) it is "AccessDenied".
The RequestDispatchingAspect handles it exactly this way, while the
AccessDecisionVoterManager always throws an AccessDeniedException.
This effectively makes it impossible to use the redirect-to-login
feature, at least I can't get it work on a recent master.
Regards
Andreas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iF4EAREIAAYFAlFkCpYACgkQVRefK2MMWg7IngEA2uug2hzHcxBMxw1JXuovonIh
iwPp7YYiKRDgZUaP6zgBAIS+GW00JWWucV+mTVNpIGfQh1mBwi12m/8aneoowy8R
=9qtu
-----END PGP SIGNATURE-----
More information about the Flow
mailing list