FELIX-2768 Preset 403/FORBIDDEN response before calling HttpContext.handleSecurity instead of sendError after handleSecurity. This presets a sensible status if handleSecurity does not do it but does not overwrite the handleSecurity response if handleSecurity does not flush the buffer
git-svn-id: https://svn.apache.org/repos/asf/felix/trunk@1056878 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java b/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java
index 5b46cf0..a47db6c 100644
--- a/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java
+++ b/http/base/src/main/java/org/apache/felix/http/base/internal/handler/ServletHandler.java
@@ -85,11 +85,14 @@
private void doHandle(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
- if (!getContext().handleSecurity(req, res)) {
- if (!res.isCommitted()) {
- res.sendError(HttpServletResponse.SC_FORBIDDEN);
- }
- } else {
+ // set a sensible status code in case handleSecurity returns false
+ // but fails to send a response
+ res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ if (getContext().handleSecurity(req, res))
+ {
+ // reset status to OK for further processing
+ res.setStatus(HttpServletResponse.SC_OK);
+
this.servlet.service(new ServletHandlerRequest(req, this.alias), res);
}
}