We are using pac4j in a javaEE application running on a wildfly server. We use pac4j with pac4j-buji to get user ids through OIDC and bridge them into the shiro subject. Our problem is that we throw a custom exception when the user lacks some application specific permission to view something. We show a custom error page if such an exception is thrown by defining the following in the web.xml
<error-page>
<exception-type>my.app.PermissionDeniedException</exception-type>
<location>/access.xhtml</location>
</error-page>
Without pac4j the PermissionDeniedException will be wrapped in a jakarta.servlet.ServletException and the correct page access.xhtml is shown to the user.
With pac4j the ServletException is wrapped again in a java.lang.RuntimeException by the org.pac4j.core.engine.AbstractExceptionAwareLogic#handleException(Exception e, HttpActionAdapter httpActionAdapter, WebContext context) method. This causes the web.xml to not recognize it as a my.app.PermissionDeniedException and therefore does not show the correct error page.
The documentation illustrates a way to fully implement my own SecurityFilter (https://www.pac4j.org/3.7.x/docs/how-to-implement-pac4j-for-a-new-framework.html) which would certanly work but I wanted to ask if there is a simpler way to modify the default exception handling?
I have searched here on stackoverflow and the old google groups for some similar problem but as far as I am aware this question wasnt asked before
It depends on the version of pac4j you use, but yes, you should be able to override the
handleExceptionmethod in a customSecurityLogic,CallbackLogicandLogoutLogicand define these new ones at theConfiglevel or at the filter level.