Explicitly handling 401 error

[Jérôme Leleu]

Hi,

Coming back to Play 2.4 (I'm the creator of https://github.com/pac4j/play-pac4j), I noticed that the HTTP 401 error is not handled explicitly. In Play 2.4, I need to override the onClientError method where as I would override the onOtherClientError method in Play 3.0.

I may be biased as the developer of a security library, but I think the HTTP 401 error is a first class citizen as well.

What do you think of catching it explicitly?

Thanks.

Best regards,

Jérôme

[Jérôme Leleu]

If ever it's not obvious, I'm talking about the https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/java/play/http/DefaultHttpErrorHandler.java class...

[Greg Methvin]

As I understand it, the point of onOtherClientError is to provide an easy way for users handle errors that aren't already handled by the framework. If you're writing an authentication framework, you should probably override onClientError to explicitly handle the 401 case and call super.onClientError(). This way onOtherClientError still acts the way users expect it to.

There's no reason for Play to handle 401 by default since authentication is not enabled by default in Play. The error handler implementation should be the job of the library doing the authentication/authorization.

--
You received this message because you are subscribed to the Google Groups "Play framework dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[James Roper]

Also note that HttpErrorHandler only has onClientError - from a public API perspective, none of the client error codes are handled specially.  onOtherClientError is nothing more than a protected convenience method that users can override if they want to reuse some of the logic in DefaultHttpErrorHandler.

I'm not exactly sure what your use case is, if you want pac4j to provide some convenient default error handling, then I would recommend implementing your own class that extends DefaultHttpErrorHandler, overrides onClientError or onOtherClientError, and provides a protected onUnauthorized.

--

James Roper
Software Engineer

Typesafe – Build reactive apps!
Twitter: @jroper

[Jérôme LELEU]

Hi,

Sure, I will override the onClientError method in Play when needed. I think I get the idea, but in that case: why explicitly catch the 403 and not the 401? 

-> https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/java/play/http/DefaultHttpErrorHandler.java#L54

Thanks.

Best regards,

Jérôme

[Greg Methvin]

I think the reason is simply that Play doesn't use 401 with onClientError internally, since it doesn't do authentication/authorization by default. It does use 403, for example in the CSRF filter.