Thanks to visit codestin.com
Credit goes to github.com

Skip to content

AccessDeniedException is converted to HTTP 302 even when request format is JSON #30099

Closed
@Jontsa

Description

@Jontsa

Description

When accessing a secured area using AJAX + JSON while not logged in, the ExceptionListener in Symfony Security component may convert AccessDeniedException to a HTTP 302 redirect to login page. The javascript can not really do anything with this since it is expecting JSON or HTTP error code.

Any other exception would be converted to JSON and passed back to browser with correct HTTP status code. But in this case, you need to create your own event listener to convert this exception in to JSON. This is the same issue as reported here: https://stackoverflow.com/questions/33240554/symfony2-security-annotation-turn-off-redirect-when-not-logged-in

See: Symfony\Component\Security\Http\Firewall\ExceptionListener::handleAccessDeniedException()

How to reproduce

  • Setup controller that throws AccessDeniedException
  • Setup controller that mocks a login page
  • Configure route to login page in security.yaml form_login > login_path
  • Try to access the first controller using AJAX + JSON
  • You expect a HTTP 403 error but instead you get HTTP 200 with login page contents

If needed, I can provide an example project in Github.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions