Handle spring security authentication exceptions with ExceptionHandler

Question

I m using Spring MVC s  ControllerAdvice and  ExceptionHandler to handle all the exception of a REST Api  It works fine for exceptions thrown by web mvc controllers but it does not work for exceptions thrown by spring security custom filters because they run before the controller methods are invoked   I have a custom spring security filter that does a token based auth   public class AegisAuthenticationFilter extends GenericFilterBean             public void doFilter ServletRequest req  ServletResponse res  FilterChain chain  throws IOException  ServletException            try                                       catch AuthenticationException authenticationException                 SecurityContextHolder clearContext                authenticationEntryPoint commence request  response  authenticationException                          With this custom entry point    Component  restAuthenticationEntryPoint   public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint       public void commence HttpServletRequest request  HttpServletResponse response  AuthenticationException authenticationException  throws IOException  ServletException           response sendError HttpServletResponse SC UNAUTHORIZED  authenticationException getMessage                And with this class to handle exceptions globally    ControllerAdvice public class RestEntityResponseExceptionHandler extends ResponseEntityExceptionHandler         ExceptionHandler   InvalidTokenException class  AuthenticationException class         ResponseStatus value   HttpStatus UNAUTHORIZED       ResponseBody     public RestError handleAuthenticationException Exception ex             int errorCode   AegisErrorCode GenericAuthenticationError          if ex instanceof AegisException                errorCode     AegisException ex  getCode                       RestError re   new RestError              HttpStatus UNAUTHORIZED              errorCode                                  ex getMessage              return re            What I need to do is to return a detailed JSON body even for spring security  AuthenticationException  Is there a way make spring security AuthenticationEntryPoint and spring mvc  ExceptionHandler work together   I m using spring security 3 1 4 and spring mvc 3 2 4

User · Answer

Taking answers from  Nicola and  Victor Wing and adding a more standardized way   import org springframework beans factory InitializingBean  import org springframework http HttpStatus  import org springframework http converter HttpMessageConverter  import org springframework http server ServerHttpResponse  import org springframework http server ServletServerHttpResponse  import org springframework security core AuthenticationException  import org springframework security web AuthenticationEntryPoint   import javax servlet ServletException  import javax servlet http HttpServletRequest  import javax servlet http HttpServletResponse  import java io IOException   public class UnauthorizedErrorAuthenticationEntryPoint implements AuthenticationEntryPoint  InitializingBean        private HttpMessageConverter messageConverter        SuppressWarnings  unchecked        Override     public void commence HttpServletRequest request  HttpServletResponse response  AuthenticationException exception  throws IOException  ServletException            MyGenericError error   new MyGenericError            error setDescription exception getMessage              ServerHttpResponse outputMessage   new ServletServerHttpResponse response           outputMessage setStatusCode HttpStatus UNAUTHORIZED            messageConverter write error  null  outputMessage              public void setMessageConverter HttpMessageConverter messageConverter            this messageConverter   messageConverter              Override     public void afterPropertiesSet   throws Exception            if  messageConverter    null                throw new IllegalArgumentException  Property  messageConverter  is required                         Now  you can inject configured Jackson  Jaxb or whatever you use to convert response bodies on your MVC annotation or XML based configuration with its serializers  deserializers and so on

User · Answer

I was able to handle that by simply overriding the method  unsuccessfulAuthentication  in my filter  There  I send an error response to the client with the desired HTTP status code    Override protected void unsuccessfulAuthentication HttpServletRequest request  HttpServletResponse response          AuthenticationException failed  throws IOException  ServletException        if  failed getCause   instanceof RecordNotFoundException            response sendError  HttpServletResponse SC NOT FOUND   failed getMessage

User · Answer

In case of Spring Boot and  EnableResourceServer  it is relatively easy and convenient to extend ResourceServerConfigurerAdapter instead of WebSecurityConfigurerAdapter in the Java configuration and register a custom AuthenticationEntryPoint by overriding configure ResourceServerSecurityConfigurer resources  and using resources authenticationEntryPoint customAuthEntryPoint    inside the method    Something like this    Configuration  EnableResourceServer public class CommonSecurityConfig extends ResourceServerConfigurerAdapter         Override     public void configure ResourceServerSecurityConfigurer resources  throws Exception           resources authenticationEntryPoint customAuthEntryPoint                 Bean     public AuthenticationEntryPoint customAuthEntryPoint            return new AuthFailureHandler              There s also a nice OAuth2AuthenticationEntryPoint that can be extended  since it s not final  and partially re-used while implementing a custom AuthenticationEntryPoint  In particular  it adds  WWW-Authenticate  headers with error-related details   Hope this will help someone

User · Answer

Ok  I tried as suggested writing the json myself from the AuthenticationEntryPoint and it works  Just for testing I changed the AutenticationEntryPoint by removing response sendError  Component  quot restAuthenticationEntryPoint quot   public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint       public void commence HttpServletRequest request  HttpServletResponse response  AuthenticationException authenticationException  throws IOException  ServletException                response setContentType  quot application json quot            response setStatus HttpServletResponse SC UNAUTHORIZED           response getOutputStream   println  quot     quot error  quot     quot  quot    authenticationException getMessage      quot   quot    quot              In this way you can send custom json data along with the 401 unauthorized even if you are using Spring Security AuthenticationEntryPoint  Obviously you would not build the json as I did for testing purposes but you would serialize some class instance  In Spring Boot  you should add it to http authenticationEntryPoint   part of SecurityConfiguration file

User · Answer

This is a very interesting problem that Spring Security and Spring Web framework is not quite consistent in the way they handle the response  I believe it has to natively support error message handling with MessageConverter in a handy way   I tried to find an elegant way to inject MessageConverter into Spring Security so that they could catch the exception and return them in a right format according to content negotiation  Still  my solution below is not elegant but at least make use of Spring code   I assume you know how to include Jackson and JAXB library  otherwise there is no point to proceed  There are 3 Steps in total   Step 1 - Create a standalone class  storing MessageConverters  This class plays no magic  It simply stores the message converters and a processor RequestResponseBodyMethodProcessor  The magic is inside that processor which will do all the job including content negotiation and converting the response body accordingly   public class MessageProcessor      Any name you like        List of HttpMessageConverter     private List lt HttpMessageConverter lt   gt  gt  messageConverters         under org springframework web servlet mvc method annotation     private RequestResponseBodyMethodProcessor processor                  Below class name are copied from the framework          And yes  they are hard-coded  too              private static final boolean jaxb2Present           ClassUtils isPresent  javax xml bind Binder   MessageProcessor class getClassLoader          private static final boolean jackson2Present           ClassUtils isPresent  com fasterxml jackson databind ObjectMapper   MessageProcessor class getClassLoader     amp  amp          ClassUtils isPresent  com fasterxml jackson core JsonGenerator   MessageProcessor class getClassLoader          private static final boolean gsonPresent           ClassUtils isPresent  com google gson Gson   MessageProcessor class getClassLoader          public MessageProcessor             this messageConverters   new ArrayList lt HttpMessageConverter lt   gt  gt              this messageConverters add new ByteArrayHttpMessageConverter             this messageConverters add new StringHttpMessageConverter             this messageConverters add new ResourceHttpMessageConverter             this messageConverters add new SourceHttpMessageConverter lt Source gt              this messageConverters add new AllEncompassingFormHttpMessageConverter              if  jaxb2Present                this messageConverters add new Jaxb2RootElementHttpMessageConverter                       if  jackson2Present                this messageConverters add new MappingJackson2HttpMessageConverter                       else if  gsonPresent                this messageConverters add new GsonHttpMessageConverter                        processor   new RequestResponseBodyMethodProcessor this messageConverters                         This method will convert the response body to the desire format              public void handle Object returnValue  HttpServletRequest request          HttpServletResponse response  throws Exception           ServletWebRequest nativeRequest   new ServletWebRequest request  response           processor handleReturnValue returnValue  null  new ModelAndViewContainer    nativeRequest                          return list of message converters             public List lt HttpMessageConverter lt   gt  gt  getMessageConverters             return messageConverters            Step 2 - Create AuthenticationEntryPoint  As in many tutorials  this class is essential to implement custom error handling   public class CustomEntryPoint implements AuthenticationEntryPoint          The class from Step 1     private MessageProcessor processor       public CustomEntryPoint                It is up to you to decide when to instantiate         processor   new MessageProcessor                Override     public void commence HttpServletRequest request          HttpServletResponse response  AuthenticationException authException          throws IOException  ServletException               This object is just like the model class              the processor will convert it to appropriate format in response body         CustomExceptionObject returnValue   new CustomExceptionObject            try               processor handle returnValue  request  response             catch  Exception e                throw new ServletException                        Step 3 - Register the entry point  As mentioned  I do it with Java Config  I just show the relevant configuration here  there should be other configuration such as session stateless  etc    Configuration  EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter        Override     protected void configure HttpSecurity http  throws Exception           http exceptionHandling   authenticationEntryPoint new CustomEntryPoint               Try with some authentication fail cases  remember the request header should include Accept   XXX and you should get the exception in JSON  XML or some other formats

User · Answer

The best way I ve found is to delegate the exception to the HandlerExceptionResolver   Component  restAuthenticationEntryPoint   public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint         Autowired     private HandlerExceptionResolver resolver        Override     public void commence HttpServletRequest request  HttpServletResponse response  AuthenticationException exception  throws IOException  ServletException           resolver resolveException request  response  null  exception             then you can use  ExceptionHandler to format the response the way you want

User · Answer

Customize the filter  and determine what kind of abnormality  there should be a better method than this  public class ExceptionFilter extends OncePerRequestFilter     Override protected void doFilterInternal HttpServletRequest request  HttpServletResponse response  FilterChain filterChain  throws IOException  ServletException       String msg           try           filterChain doFilter request  response         catch  Exception e            if  e instanceof JwtException                msg   e getMessage                      response setCharacterEncoding  UTF-8            response setContentType MediaType APPLICATION JSON getType             response getWriter   write JSON toJSONString Resp error msg             return

User · Answer

In ResourceServerConfigurerAdapter class  below code snipped worked for me  http exceptionHandling   authenticationEntryPoint new AuthFailureHandler    and csrf     did not work  That s why I wrote it as separate call   public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter         Override     public void configure HttpSecurity http  throws Exception            http exceptionHandling   authenticationEntryPoint new AuthFailureHandler              http csrf   disable                    anonymous   disable                    authorizeRequests                    antMatchers HttpMethod OPTIONS  permitAll                    antMatchers   subscribers      authenticated                    antMatchers   requests      authenticated             Implementation of AuthenticationEntryPoint for catching token expiry and missing authorization header    public class AuthFailureHandler implements AuthenticationEntryPoint       Override   public void commence HttpServletRequest httpServletRequest  HttpServletResponse httpServletResponse  AuthenticationException e        throws IOException  ServletException       httpServletResponse setContentType  application json        httpServletResponse setStatus HttpServletResponse SC UNAUTHORIZED        if  e instanceof InsufficientAuthenticationException           if  e getCause   instanceof InvalidTokenException            httpServletResponse getOutputStream   println                                        message      Token has expired                          type      Unauthorized                          status    401                                            if  e instanceof AuthenticationCredentialsNotFoundException           httpServletResponse getOutputStream   println                                    message      Missing Authorization Header                        type      Unauthorized                        status    401

User · Answer

Update  If you like and prefer to see the code directly  then I have two examples for you  one using standard Spring Security which is what you are looking for  the other one is using the equivalent of Reactive Web and Reactive Security  - Normal Web   Jwt Security - Reactive Jwt  The one that I always use for my JSON based endpoints looks like the following    Component public class JwtAuthEntryPoint implements AuthenticationEntryPoint         Autowired     ObjectMapper mapper       private static final Logger logger   LoggerFactory getLogger JwtAuthEntryPoint class         Override     public void commence HttpServletRequest request                           HttpServletResponse response                           AuthenticationException e              throws IOException  ServletException              Called when the user tries to access an endpoint which requires to be authenticated            we just return unauthorizaed         logger error  Unauthorized error  Message -      e getMessage              ServletServerHttpResponse res   new ServletServerHttpResponse response           res setStatusCode HttpStatus UNAUTHORIZED           res getServletResponse   setHeader HttpHeaders CONTENT TYPE  MediaType APPLICATION JSON VALUE           res getBody   write mapper writeValueAsString new ErrorResponse  You must authenticated    getBytes               The object mapper becomes a bean once you add the spring web starter  but I prefer to customize it  so here is my implementation for ObjectMapper      Bean     public Jackson2ObjectMapperBuilder objectMapperBuilder             Jackson2ObjectMapperBuilder builder   new Jackson2ObjectMapperBuilder            builder modules new JavaTimeModule                 for example  Use created at instead of createdAt         builder propertyNamingStrategy PropertyNamingStrategy SNAKE CASE               skip null fields         builder serializationInclusion JsonInclude Include NON NULL           builder featuresToDisable SerializationFeature WRITE DATES AS TIMESTAMPS           return builder          The default AuthenticationEntryPoint you set in your WebSecurityConfigurerAdapter class    Configuration  EnableWebSecurity  EnableGlobalMethodSecurity prePostEnabled   true  public class SecurityConfig extends WebSecurityConfigurerAdapter                       Autowired     private JwtAuthEntryPoint unauthorizedHandler   Override     protected void configure HttpSecurity http  throws Exception           http cors   and   csrf   disable                    authorizeRequests                       antMatchers   api auth       api login           permitAll                    anyRequest   permitAll                    and                    exceptionHandling   authenticationEntryPoint unauthorizedHandler                   and                    sessionManagement   sessionCreationPolicy SessionCreationPolicy STATELESS             http headers   frameOptions   disable       otherwise H2 console is not available            There are many ways to ways of placing our Filter in a position in the chain            You can troubleshoot any error enabling debug see below   it will print the chain of Filters         http addFilterBefore authenticationJwtTokenFilter    UsernamePasswordAuthenticationFilter class

User · Answer

We need to use HandlerExceptionResolver in that case    Component public class RESTAuthenticationEntryPoint implements AuthenticationEntryPoint         Autowired        Qualifier  handlerExceptionResolver       private HandlerExceptionResolver resolver        Override     public void commence HttpServletRequest request  HttpServletResponse response  AuthenticationException authException  throws IOException           resolver resolveException request  response  null  authException             Also  you need to add in the exception handler class to return your object    RestControllerAdvice public class GlobalExceptionHandler extends ResponseEntityExceptionHandler         ExceptionHandler AuthenticationException class      public GenericResponseBean handleAuthenticationException AuthenticationException ex  HttpServletResponse response           GenericResponseBean genericResponseBean   GenericResponseBean build MessageKeys UNAUTHORIZED           genericResponseBean setError true           response setStatus HttpStatus UNAUTHORIZED value             return genericResponseBean            may you get an error at the time of running a project because of multiple implementations of HandlerExceptionResolver  In that case you have to add  Qualifier  handlerExceptionResolver   on HandlerExceptionResolver

User · Answer

I m using the objectMapper  Every Rest Service is mostly working with json  and in one of your configs you have already configured an object mapper   Code is written in Kotlin  hopefully it will be ok    Bean fun objectMapper    ObjectMapper       val objectMapper   ObjectMapper       objectMapper registerModule JodaModule        objectMapper configure SerializationFeature WRITE DATES AS TIMESTAMPS  false       return objectMapper    class UnauthorizedAuthenticationEntryPoint   BasicAuthenticationEntryPoint           Autowired     lateinit var objectMapper  ObjectMapper       Throws IOException  class  ServletException  class      override fun commence request  HttpServletRequest  response  HttpServletResponse  authException  AuthenticationException            response addHeader  Content-Type    application json           response status   HttpServletResponse SC UNAUTHORIZED          val responseError   ResponseError              message      authException message                       objectMapper writeValue response writer  responseError

[spring] Handle spring security authentication exceptions with @ExceptionHandler

Examples related to spring

Examples related to spring-mvc

Examples related to spring-security