FELIX-2768 Preset 403/FORBIDDEN response before calling HttpContext.handleSecurity instead of sendError after handleSecurity. This presets a sensible status if handleSecurity does not do it but does not overwrite the handleSecurity response if handleSecurity does not flush the buffer

git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@1056878 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java b/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java
index 5b46cf0..a47db6c 100644
--- a/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java
+++ b/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java
@@ -85,11 +85,14 @@
     private void doHandle(HttpServletRequest req, HttpServletResponse res)
         throws ServletException, IOException
     {
-        if (!getContext().handleSecurity(req, res)) {
-            if (!res.isCommitted()) {
-                res.sendError(HttpServletResponse.SC_FORBIDDEN);
-            }
-        } else {
+        // set a sensible status code in case handleSecurity returns false
+        // but fails to send a response
+        res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        if (getContext().handleSecurity(req, res))
+        {
+            // reset status to OK for further processing
+            res.setStatus(HttpServletResponse.SC_OK);
+
             this.servlet.service(new ServletHandlerRequest(req, this.alias), res);
         }
     }