Closed bertramn closed 2 years ago
to ensure exceptions in the security filter chain are also returned as proper RFC7807 responses.
Do you have examples? What kind of exceptions would that be?
If you think it's worthwhile, I'll throw in the unit tests for free ;) .
I'd love that! :heart:
We implemented a multi-tenanted OpenID Connect authentication processing filter based on org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
which uses a AuthenticationSuccessHandler
and AuthenticationFailureHandler
for the authentication outcome. The default SimpleUrlAuthenticationFailureHandler
is for form based auth and unless weirdly configured will redirect to login urls and create sessions - neither desirable for a pure stateless API. It also does not do any content negotiation or failure entity mapping. The exception that needs to be handled is any variant of the AuthenticationException
and IOException
from the filters attemptAuthentication()
method. If you inspect the implementation above you find the old friend from #292 ;).
Just looking through the stuff I've written a while back and just realised, I actually have a whole autoconfigure setup for "ProblemManagement". Let me put this all in a PR and you guys can pick and choose which bits you like.
The one question I have is supported versions. If we want Spring Boot 1.5.x support then autoconfig will be much more painful and complex. If 2.x is fine that would make things a lot easier to code.
I'm not sure if it's really required to make this so complex, perhaps an instruction with
@Component
@Slf4j
@RequiredArgsConstructor
class ProblemAuthenticationFailureHandler implements ServerAuthenticationFailureHandler {
private final ProblemAdvice advice;
@Override
public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, AuthenticationException exception) {
Mono<ResponseEntity<Problem>> response = advice.create(exception, webFilterExchange.getExchange());
return response.and(Mono.empty());
}
}
is sufficient?
Hi, stumble upon this issue when integrating with keycloak-adapter. Keycloak configures by default its on KeycloakAuthenticationFailureHandler.
I got around the issue by doing something like:
@Bean
public AuthenticationFailureHandler problemAuthenticationFailureHandler(final SecurityProblemSupport securityProblem) {
return securityProblem::commence;
}
I wonder if SecurityProblemSupport shouldn't implement AuthenticationFailureHandler exactly as it does for AuthenticationEntryPoint.
@chicobento Probably makes sense, yes.
Detailed Description
To complement the Problem mapping capability of
SecurityProblemSupport
, a customAuthenticationFailureHandler
should be added to ensure exceptions in the security filter chain are also returned as proper RFC7807 responses.The
AuthenticationFailureHandler
strategy can be used to modify the behaviour of spring security. When using spring boot as a resource server for APIs (not web pages), the out-of-the-boxAuthenticationFailureHandler
s are no sufficiently configurable to ensure the failure is written to the response in RFC7807 format. There are a few documented hacks out there that sort of get you half way but since this is part of a security system, probably not a good idea to copy-and-paste a bunch of car insurance quote examples together to return auth errors in json format.Context
We use this
AuthenticationFailureHandler
together with theSecurityProblemSupport
to setup spring boot APIs in a way that all responses are RFC7807 compliant. Other users might find it convenient to use an API optimised failure handler instead trying to make the spring supplied ones do something they are not designed to do.If you think it's worthwhile, I'll throw in the unit tests for free ;) .
Possible Implementation
We use something like this to close the gap: