Question
Timothy Leavitt · Apr 6, 2022

Returning an HTTP 403 from %CSP.SessionEvents:OnStartRequest

Is there a way, given a %CSP.SessionEvents subclass, to simply return an HTTP 403 error status from OnStartRequest?

If I return an error %Status from the method, it'll go to the error page; if I don't, it's always a 200 OK and the page continues to render.

Product version: IRIS 2021.2
$ZV: IRIS for Windows (x86-64) 2021.2 (Build 651U) Mon Jan 31 2022 17:39:04 EST
0
0 191
Discussion (3)1
Log in or sign up to continue

Try this:

ClassMethod OnStartRequest() As %Status
{
  #dim %response As %CSP.Response
  
  ;s %response.ContentType="text/html",%response.Expires=-1
  %response.Status=##class(%CSP.REST).#HTTP403FORBIDDEN
  q $$$OK
}

Or this:

/// Event handler for <b>PreHTTP</b> event: this is invoked before
/// the HTTP headers for a CSP page have been sent.  All changes to the
/// <class>%CSP.Response</class> class, such as adding cookies, HTTP headers,
/// setting the content type etc. must be made from within the OnPreHTTP() method.
/// Also changes to the state of the CSP application such as changing
/// %session.EndSession or %session.AppTimeout must be made within the OnPreHTTP() method.
/// It is prefered that changes to %session.Preserve are also made in the OnPreHTTP() method
/// as this is more efficient, although it is supported in any section of the page.
/// Return <b>0</b> to prevent <method>OnPage</method> from being called.
ClassMethod OnPreHTTP() As %Boolean ServerOnly = 1 ]
{
  %response.Status="403 Forbidden"
  0
}

Here's the problem:

  • I need to do this in a session events class, as I want it to be reusable and apply to all resources in a given web application.
  • If OnStartRequest returns $$$OK, the page renders (%response.Status is set correctly, though).
  • If OnStartRequest returns an error, the web application's error page is shown.

The solution might be using a custom error page too.

Simple solution:
Create a class extending %CSP.Page with:

ClassMethod OnPreHTTP() As %Boolean
{
    Set %response.Status = ##class(%CSP.REST).#HTTP403FORBIDDEN
    Quit 0
}

From the %CSP.SessionEvents subclass, in OnStartRequest:

set %response.ServerSideRedirect = "<that classname>.cls"