Return error messages, instead of throwing, as per superclass doc

author: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-03-26 13:30:55 +0100
committer: Jon Marius Venstad <jvenstad@yahoo-inc.com> 2019-03-26 13:30:55 +0100
commit: 4518eb24f0786d514ba38c7eeaf2bb7c2b8dd984 (patch)
tree: 686c36b2d2176d7263889de63471f55e22d4b70f /controller-server
parent: 09ae8c58287ce583c378887cc88c0b6b7dafb7f7 (diff)
1 files changed, 9 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
index add71cd80d2..7298a0a91d0 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
@@ -5,6 +5,7 @@ import com.google.inject.Inject;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.TenantName;
+import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.HttpRequest;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.security.cors.CorsFilterConfig;
@@ -76,7 +77,8 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase {
     public Optional<ErrorResponse> filterRequest(DiscFilterRequest request) {
         try {
             Principal principal = request.getUserPrincipal();
-            if (principal == null) throw new ForbiddenException("Access denied.");
+            if (principal == null)
+                return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access denied"));
 
             Path path = new Path(request.getRequestURI());
             Action action = Action.from(HttpRequest.Method.valueOf(request.getMethod()));
@@ -86,11 +88,12 @@ public class ControllerAuthorizationFilter extends CorsRequestFilterBase {
                 return Optional.empty();
 
             RoleMembership roles = new AthenzRoleResolver(athenz, controller, path).membership(principal);
-            if (!roles.allows(action, request.getRequestURI())) {
-                throw new ForbiddenException("Access denied");
-            }
-            return Optional.empty();
-        } catch (WebApplicationException e) {
+            if (roles.allows(action, request.getRequestURI()))
+                return Optional.empty();
+
+            return Optional.of(new ErrorResponse(Response.Status.FORBIDDEN, "Access denied"));
+        }
+        catch (WebApplicationException e) {
             int statusCode = e.getResponse().getStatus();
             String errorMessage = e.getMessage();
             log.log(LogLevel.WARNING, String.format("Access denied (%d): %s", statusCode, errorMessage));
author	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-03-26 13:30:55 +0100
committer	Jon Marius Venstad <jvenstad@yahoo-inc.com>	2019-03-26 13:30:55 +0100
commit	4518eb24f0786d514ba38c7eeaf2bb7c2b8dd984 (patch)
tree	686c36b2d2176d7263889de63471f55e22d4b70f /controller-server
parent	09ae8c58287ce583c378887cc88c0b6b7dafb7f7 (diff)