spring-projects
Unhandled AuthenticationServiceException in the default exception handing of http filter chain (Resource Server)
Describe the bug When a AuthenticationServiceException is thrown from AuthenticationProviders say JwtAuthenticationProvider is throwing this exception at this line and the security filter chain is not able to capture this exception in accessDeniedHandler or authenticationEntryPoint though it is configured with proper exceptionHandling but it works when an instance of OAuth2AuthenticationException is thrown
To Reproduce Configure httpsecurity filter chain with proper exceptionHandling
Expected behavior Exception thrown of type AuthenticationServiceException should be handled same like OAuth2AuthenticationException
Sample
@Bean
AuthenticationManagerResolver<HttpServletRequest> multitenantPasAuthenticationManager(JwtAuthenticationProvider jwtAuthenticationProvider) {
// AuthenticationServiceException if thrown by JwtAuthenticationProvider
return (request) -> new ProviderManager(jwtAuthenticationProvider);
}
@Bean
public Customizer<HttpSecurity> securityCustomizer(AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver,
ObjectMapper objectMapper) {
return http -> {
try {
http.oauth2ResourceServer(oauth2 -> {
oauth2.authenticationManagerResolver(authenticationManagerResolver);
oauth2.accessDeniedHandler(new MyCustomHandler(objectMapper));
oauth2.authenticationEntryPoint(new MyCustomEntryPoint(objectMapper));
});
} catch (Exception exception) {
log.error("Failed to configure OAuth2 resource server", exception);
throw new IllegalStateException(exception);
}
};
}
@Bean
public SecurityFilterChain securityFilterChain(final HttpSecurity http,
final MvcRequestMatcher.Builder mvc,
Customizer<HttpSecurity> securityCustomizer) throws Exception {
securityCustomizer.customize(http);
http
.csrf(AbstractHttpConfigurer::disable)
.httpBasic(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.cors(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.requestCache(RequestCacheConfigurer::disable)
.logout(AbstractHttpConfigurer::disable)
.headers(getHeadersConfigurerCustomizer())
.authorizeHttpRequests(auth -> {
// https://spring.io/security/cve-2023-34035
// https://github.com/jzheaux/cve-2023-34035-mitigations/tree/main
EXCLUDED_RESOURCES.forEach(s -> {
// Use ant matcher for permitting the access
auth.requestMatchers(antMatcher(s)).permitAll();
});
// Dispatcher servlet
if (h2ConsoleEnabled) {
auth.requestMatchers(antMatcher("/h2-console/**")).permitAll();
}
appProperties.resourceBasePaths().forEach(basePath -> {
auth.requestMatchers(mvc.pattern(basePath + "/**")).access(AuthorizationManagers.allOf(
new WebExpressionAuthorizationManager("hasRole('CLIENT')")
));
});
auth.anyRequest().denyAll();
})
.exceptionHandling(httpSecurityExceptionHandlingConfigurer -> {
httpSecurityExceptionHandlingConfigurer.accessDeniedHandler(new MyCustomHandler(objectMapper));
httpSecurityExceptionHandlingConfigurer.authenticationEntryPoint(new MyCustomEntryPoint(objectMapper));
});
return http.build();
}
if (!AuthenticationServiceException.class.isAssignableFrom(exception.getClass())) { this.authenticationEntryPoint.commence(request, response, exception); return; }
In AuthenticationEntryPointFailureHandler could be the cause
Handling it like this for now,
oauth2.withObjectPostProcessor(new ObjectPostProcessor<BearerTokenAuthenticationFilter>() {
@Override
public <O extends BearerTokenAuthenticationFilter> O postProcess(O object) {
AuthenticationEntryPointFailureHandler authenticationEntryPointFailureHandler = new AuthenticationEntryPointFailureHandler(problemJsonAuthenticationEntryPoint);
authenticationEntryPointFailureHandler.setRethrowAuthenticationServiceException(false);
object.setAuthenticationFailureHandler(authenticationEntryPointFailureHandler);
return object;
}
})
Hi @jgrandja , What do you think about this? I could understand AuthenticationServiceException is more for any DB or API failure during authentication process but throwing in JwtAuthenticationProvider might not be right since the JWTs are always self contained
Hi, @kpur-sbab. It is intended for AuthenticationServiceException to propagate through the filter chain since it indicates a 500 error instead of something that the user can do something about. It is thrown, for example, when the resource server cannot reach the authorization server to obtain JWKs. In this case, it doesn't necessarily make sense to ask the client for authentication credentials.
It sounds like you may be interested in having your authentication failure handler also handle 500 errors. For my own curiosity, do you plan to respond in the same way as when the credential itself fails to validate (a 401 error) or do something different?
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
@jzheaux Thanks for responding. Yes thats my intention to unify the response for any errors happening on the filter chain, it would be 401/403 instead of 500s. In our case 500s are always some runtime exceptions and not intended to be thrown for something that happened in the filter chain