spring-security-kerberos icon indicating copy to clipboard operation
spring-security-kerberos copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

SES-127: Authentication failure sends back 500 err code

Open spring-projects-issues opened this issue 12 years ago • 0 comments

Brice (Migrated from SES-127) said:

When a problem occurs during authentication step, the filter sets 500 error code to the response (cf. https://github.com/SpringSource/spring-security-kerberos/blob/master/spring-security-kerberos-core/src/main/java/org/springframework/security/extensions/kerberos/web/SpnegoAuthenticationProcessingFilter.java#L164 ) which sounds weird for a caught AuthenticationException because it's then mixed with application errors.

Would it be possible to change it into a 403, set with javax.servlet.http.HttpServletResponse.sendError(int) instead of javax.servlet.http.HttpServletResponse.setStatus(int), to allow error pages defined in web.xml to be used by tomcat.

To work around, currently it is possible to define a custom AuthenticationFailureHandler, but this code has a very low value:

public class KerberosAuthenticationFailureHandler implements
        AuthenticationFailureHandler {

    @Override
    public void onAuthenticationFailure(HttpServletRequest request,
            HttpServletResponse response, AuthenticationException ae)
            throws IOException, ServletException {
        if (ae instanceof BadCredentialsException) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
        }

    }

spring-projects-issues avatar Jun 19 '13 09:06 spring-projects-issues