Cannot rescue from a SecurityException, my rescue is ignored and get ASP.NET error page
1 view
Skip to first unread message
jsmorris
Sep 9, 2008, 3:13:00 PM9/9/08
to Castle Project Users
I have the following three Rescue attributes defined on my controller
[Rescue("error")]
[Rescue("controller", typeof(ControllerException))]
[Rescue("security", typeof(SecurityException))]
Inside one of my actions, I have placed one of the three types of
exceptions, but the SecurityException is never capture and I get an
ASP.NET error page instead of the view I defined in my views/rescues.
Exception and ControllerException work as advertised. I have tried
several combinations of the attributes and types, but no matter what I
do, a SecurityException is never handled properly.
public void Index()
{
// throw new Exception("This is a test of an Exception");
// throw new ControllerException("This is a test of a
controller exception");
throw new SecurityException("This is a test of a security
exception");
}
All I want to do is display different help information when I security
exception is thrown, i.e. where to request access, only on
SecurityException. The other types of exceptions should show the
error and possible support email address.
Thanks,
Jason
[Rescue("error")]
[Rescue("controller", typeof(ControllerException))]
[Rescue("security", typeof(SecurityException))]
Inside one of my actions, I have placed one of the three types of
exceptions, but the SecurityException is never capture and I get an
ASP.NET error page instead of the view I defined in my views/rescues.
Exception and ControllerException work as advertised. I have tried
several combinations of the attributes and types, but no matter what I
do, a SecurityException is never handled properly.
public void Index()
{
// throw new Exception("This is a test of an Exception");
// throw new ControllerException("This is a test of a
controller exception");
throw new SecurityException("This is a test of a security
exception");
}
All I want to do is display different help information when I security
exception is thrown, i.e. where to request access, only on
SecurityException. The other types of exceptions should show the
error and possible support email address.
Thanks,
Jason
Patrick Steele
Sep 9, 2008, 3:35:38 PM9/9/08
to castle-pro...@googlegroups.com
Jimmy Shimizu
Sep 9, 2008, 6:14:22 PM9/9/08
to castle-pro...@googlegroups.com
I had somewhat a similar problem, lead me to the point where I set
permissions exclusively on each action using PrincipalPermission.
permissions exclusively on each action using PrincipalPermission.
Bascially, You could set it on the controller and still use the
SecurityException, but then you cannot override it on the action/
method IIRC.
However, the reason for the ASP.NET-exception is probably because you
restrict access to the url with ASP.NET using <location> blocks in
your web.config (and even denying access if not authenticated probably).
You need to allow access to everything in your config and keep your
security-restrictions in your controllers with for instance,
PrincipalPermission.
jsmorris
Sep 9, 2008, 8:22:03 PM9/9/08
to Castle Project Users
@Jimmy I am setting the PrincipalPermission on each of my actions in
the controller and the PrincipalPermission is working as advertised.
I do not have a restriction to access the URL in my web.config. If I
comment out all my manual exceptions, things work. And, if I change
the role to "Foo" and since I don't have the Foo role, that is when I
get the ASP.NET error page.
My complete action is
[PrincipalPermission(SecurityAction.Demand, Role =
Roles.Administrator)]
}
@Patrick I am working off a nightly build 92?, so I am pretty
current. As I stated to Jimmy, I am setting my PrincipalPermission at
the action level, so the thread you referenced doesn't seem
applicable. Unless I am misunderstanding your suggestions, I believe
my problem is with how monorail catches exceptions and then figures
out which rescue view to use and when it doesn't find it in bubbles
the exception out to ASP.NET.
If I throw the ControllerException or just a plain Exception, the
rescues work, so what is stumping me is why is the SecurityException
any different since it is throw in the same place as the others.
Jason
the controller and the PrincipalPermission is working as advertised.
I do not have a restriction to access the URL in my web.config. If I
comment out all my manual exceptions, things work. And, if I change
the role to "Foo" and since I don't have the Foo role, that is when I
get the ASP.NET error page.
My complete action is
[PrincipalPermission(SecurityAction.Demand, Role =
Roles.Administrator)]
public void Index()
{
// throw new Exception("This is a test of an Exception");
// throw new ControllerException("This is a test of a
controller exception");
throw new SecurityException("This is a test of a security
exception");
PropertyBag["feeds"] = Feed.FindAll();
{
// throw new Exception("This is a test of an Exception");
// throw new ControllerException("This is a test of a
controller exception");
throw new SecurityException("This is a test of a security
exception");
}
@Patrick I am working off a nightly build 92?, so I am pretty
current. As I stated to Jimmy, I am setting my PrincipalPermission at
the action level, so the thread you referenced doesn't seem
applicable. Unless I am misunderstanding your suggestions, I believe
my problem is with how monorail catches exceptions and then figures
out which rescue view to use and when it doesn't find it in bubbles
the exception out to ASP.NET.
If I throw the ControllerException or just a plain Exception, the
rescues work, so what is stumping me is why is the SecurityException
any different since it is throw in the same place as the others.
Jason
Patrick Steele
Sep 9, 2008, 9:00:33 PM9/9/08
to castle-pro...@googlegroups.com
What are you doing in your HttpApplication's AuthenticateRequest event?
jsmorris
Sep 10, 2008, 12:56:30 PM9/10/08
to Castle Project Users
@Patrick...I am working in an intranet environment, so I am using
Windows Authentication. I am not handling the AuthenticateRequest
event.
On Sep 10, 2:00 am, "Patrick Steele" <patrick.ste...@gmail.com> wrote:
> What are you doing in your HttpApplication's AuthenticateRequest event?
>
Windows Authentication. I am not handling the AuthenticateRequest
event.
On Sep 10, 2:00 am, "Patrick Steele" <patrick.ste...@gmail.com> wrote:
> What are you doing in your HttpApplication's AuthenticateRequest event?
>
Message has been deleted
jsmorris
Sep 10, 2008, 8:34:22 PM9/10/08
to Castle Project Users
Problem solved and it was the smack the forehead kind of solution.
The error was in my rescue view that I was showing. I had a view
component (to render a nice layout of the exception) that had an error
it it. So when it was trying to render my rescue view an error
occurred and an ASP.NET error page was shown. The error that was
shown on the ASP.NET page was the security exception from the
controller and not the exception for the view rendering, thus pointing
me in the wrong direction.
I got to this point because I was playing around with creating a
custom rescue controller. I was able to successfully capture a
security exception. At that point, I knew the MR plumbing was working
so it forced me to look at my code, and yep...I had a problem in my
view.
Thanks again to @Patrick and @Jimmy. It helps to look in the right
place.
Jason
The error was in my rescue view that I was showing. I had a view
component (to render a nice layout of the exception) that had an error
it it. So when it was trying to render my rescue view an error
occurred and an ASP.NET error page was shown. The error that was
shown on the ASP.NET page was the security exception from the
controller and not the exception for the view rendering, thus pointing
me in the wrong direction.
I got to this point because I was playing around with creating a
custom rescue controller. I was able to successfully capture a
security exception. At that point, I knew the MR plumbing was working
so it forced me to look at my code, and yep...I had a problem in my
view.
Thanks again to @Patrick and @Jimmy. It helps to look in the right
place.
Jason
Reply all
Reply to author
Forward
0 new messages