Expected Behavior
In order to allow customization of errors when token is rejected (see #5985 for example), BearerTokenAuthenticationEntryPoint should allow to specify some sort of delegate to add more information apart of the WWW-Authenticate header
Current Behavior
BearerTokenAuthenticationEntryPoint is final and there is no way to enhance response other than creating a duplicated entry point.
Context
This would allow responses to be customized when tokens are rejected and add more information apart from the WWW-Authenticate header.
Comment From: jzheaux
@german1410, thanks for the suggestion. Copying a class can be annoying.
However, I think most of the WWW-Authenticate header functionality is available in Nimbus via their BearerTokenError class, which ships with a toWWWAuthenticateHeader method.
If that doesn't simplify your use case enough, maybe you could tell me more about what you are trying to accomplish.
Comment From: mschallar
I don't quite see the toWWWAuthenticateHeader in BearerTokenError or any super class.
In addition it would be nice if the BearerTokenAuthenticationEntryPoint class would not be final in order to extend it, otherwise just delegation is possible.
Comment From: jzheaux
@mschallar, I'm referring to BearerTokenError in Nimbus. Does that address your first question?
As for making it not final, can you share a specific example of something you are trying to do that is difficult with delegation?
Comment From: mschallar
It is not a matter of "too difficult with delegation", it's just a matter of preference.
Comment From: jzheaux
Great, thanks, @mschallar. While your preference for inheritance is understandable, Spring Security tends to prefer composition.
I'm going to close this issue as addressed. However, please feel free to continue commenting if there is more to discuss.