search

ch4mpy / spring-addons

Ease spring OAuth2 resource-servers configuration and testing
Apache License 2.0
521 stars 84 forks source link

Ability to configure exceptionHandling functionality for com.c4-soft.springaddons.oidc.resourceserver #151

Closed nexus061 closed 9 months ago

nexus061 commented 9 months ago

Hi, It would be useful to be able to configure the class that handles exceptions with the 401 status, if I want I can make a pull request

ch4mpy commented 9 months ago

Sure, you can propose a pull request, even if it still an early draft. I can provide support to polish it.

If you have something ready, we can talk about features based on it.

Otherwise, what features do you target exactly?

nexus061 commented 9 months ago 
http.exceptionHandling(exceptionHandling -> exceptionHandling.authenticationEntryPoint((request, response, authException) -> {
            response.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer realm=\"Restricted Content\"");
            response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
        }));

I would like to define my class for this feature, so that I can command the response message, I'm seeing that there is the ResourceServerHttpSecurityPostProcessor interface, maybe with this you don't need to modify; My idea was to look for a bean for exception handling if found to use that, otherwise go ahead as normal. What do you think?

ch4mpy commented 9 months ago

Yes, you can use ResourceServerHttpSecurityPostProcessor to modify the configured exception handler (you can modify anything from the filter-chain with it), but his is probably not as handy as would be a @ConditionalOnMissingBean implementing ExceptionHandlingConfigurer<HttpSecurity> with the code of the lambda you just found.

If we had such a bean injected in springAddonsJwtResourceServerSecurityFilterChain and springAddonsIntrospectingResourceServerSecurityFilterChain and cascaded down to ServletConfigurationSupport::configureResourceServer, Spring-addons users would have no more to do than defining their own ExceptionHandlingConfigurer<HttpSecurity> bean somewhere in their conf.

Note that something similar should be applied to reactive implementations (in ReactiveSpringAddonsOidcResourceServerBeans) to enable customization of the all ExceptionHandlingSpec (instead of just the ServerAccessDeniedHandler).

Do you prefer to make the PR by yourself (and be contributor), or are you interested just in the feature (I have time to release it within the next 12 hours)?

nexus061 commented 9 months ago

Hi @ch4mpy , i have done pull request https://github.com/ch4mpy/spring-addons/pull/152

ch4mpy commented 9 months ago

Released with 7.1.11 which should be available shortly from maven-central

ch4mpy commented 9 months ago

@nexus061 this is finally released as 7.1.12. I just checked on maven-central, the release is publicly available.

Something went wrong when releasing yesterday and I believe that for some reason the version was labeled git instead of 7.1.11...

nexus061 commented 9 months ago

@nexus061 this is finally released as 7.1.12. I just checked on maven-central, the release is publicly available.

Something went wrong when releasing yesterday and I believe that for some reason the version was labeled git instead of 7.1.11...

great!