Describe the bug When a AuthenticationServiceException is thrown from AuthenticationProviders say JwtAuthenticationProvider is throwing this exception at this line and the security filter chain is not able to capture this exception in accessDeniedHandler or authenticationEntryPoint though it is configured with proper exceptionHandling but it works when an instance of OAuth2AuthenticationException is thrown
To Reproduce Configure httpsecurity filter chain with proper exceptionHandling
Expected behavior Exception thrown of type AuthenticationServiceException should be handled same like OAuth2AuthenticationException
Sample
@Bean
AuthenticationManagerResolver<HttpServletRequest> multitenantPasAuthenticationManager(JwtAuthenticationProvider jwtAuthenticationProvider) {
// AuthenticationServiceException if thrown by JwtAuthenticationProvider
return (request) -> new ProviderManager(jwtAuthenticationProvider);
}
@Bean
public Customizer<HttpSecurity> securityCustomizer(AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver,
ObjectMapper objectMapper) {
return http -> {
try {
http.oauth2ResourceServer(oauth2 -> {
oauth2.authenticationManagerResolver(authenticationManagerResolver);
oauth2.accessDeniedHandler(new MyCustomHandler(objectMapper));
oauth2.authenticationEntryPoint(new MyCustomEntryPoint(objectMapper));
});
} catch (Exception exception) {
log.error("Failed to configure OAuth2 resource server", exception);
throw new IllegalStateException(exception);
}
};
}
@Bean
public SecurityFilterChain securityFilterChain(final HttpSecurity http,
final MvcRequestMatcher.Builder mvc,
Customizer<HttpSecurity> securityCustomizer) throws Exception {
securityCustomizer.customize(http);
http
.csrf(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.cors(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.requestCache(RequestCacheConfigurer::disable)
.logout(AbstractHttpConfigurer::disable)
.headers(getHeadersConfigurerCustomizer())
.authorizeHttpRequests(auth -> {
// https://spring.io/security/cve-2023-34035
// https://github.com/jzheaux/cve-2023-34035-mitigations/tree/main
EXCLUDED_RESOURCES.forEach(s -> {
// Use ant matcher for permitting the access
auth.requestMatchers(antMatcher(s)).permitAll();
});
// Dispatcher servlet
if (h2ConsoleEnabled) {
auth.requestMatchers(antMatcher("/h2-console/**")).permitAll();
}
appProperties.resourceBasePaths().forEach(basePath -> {
auth.requestMatchers(mvc.pattern(basePath + "/**")).access(AuthorizationManagers.allOf(
new WebExpressionAuthorizationManager("hasRole('CLIENT')")
));
});
auth.anyRequest().denyAll();
})
.exceptionHandling(httpSecurityExceptionHandlingConfigurer -> {
httpSecurityExceptionHandlingConfigurer.accessDeniedHandler(new MyCustomHandler(objectMapper));
httpSecurityExceptionHandlingConfigurer.authenticationEntryPoint(new MyCustomEntryPoint(objectMapper));
});
return http.build();
}
Comment From: kpur-sbab
if (!AuthenticationServiceException.class.isAssignableFrom(exception.getClass())) {
this.authenticationEntryPoint.commence(request, response, exception);
return;
}
In AuthenticationEntryPointFailureHandler could be the cause
Comment From: kpur-sbab
Handling it like this for now,
oauth2.withObjectPostProcessor(new ObjectPostProcessor<BearerTokenAuthenticationFilter>() {
@Override
public <O extends BearerTokenAuthenticationFilter> O postProcess(O object) {
AuthenticationEntryPointFailureHandler authenticationEntryPointFailureHandler = new AuthenticationEntryPointFailureHandler(problemJsonAuthenticationEntryPoint);
authenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(false);
object.setAuthenticationFailureHandler(authenticationEntryPointFailureHandler);
return object;
}
})
Comment From: kpur-sbab
Hi @jgrandja , What do you think about this? I could understand AuthenticationServiceException is more for any DB or API failure during authentication process but throwing in JwtAuthenticationProvider might not be right since the JWTs are always self contained
Comment From: jzheaux
Hi, @kpur-sbab. It is intended for AuthenticationServiceException to propagate through the filter chain since it indicates a 500 error instead of something that the user can do something about. It is thrown, for example, when the resource server cannot reach the authorization server to obtain JWKs. In this case, it doesn't necessarily make sense to ask the client for authentication credentials.
It sounds like you may be interested in having your authentication failure handler also handle 500 errors. For my own curiosity, do you plan to respond in the same way as when the credential itself fails to validate (a 401 error) or do something different?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.