Spring Security AuthenticationFailureHandler Configuration in OAuth2ResourceServerConfigurer

Describe the bug

In the Oauth2ResourceServerConfigurer, there is no way to customize the AuthenticationFailureHandler of the BearerTokenAuthenticationFilter.

To Reproduce in an application using the configuration WebSecurityConfigurerAdapter, the filter chain is build including BearerTokenAuthenticationFilter. Meaning that the filter cannot be modified easily to customize the authenticationFailureHandler

Expected behavior There is a setter method in the BearerTokenAuthenticationFilter, so it should be possible to provide a custom failure handler

Comment From: jzheaux

Hi, @jbkervyn, thanks for the suggestion.

You can set the failure handler by configuring a post-processor:

http
    .authorizeRequests((authorize) -> authorize
        .anyRequest().authenticated()
    )
    .oauth2ResourceServer((oauth2) -> oauth2
        .jwt(withDefaults())
        .withObjectPostProcessor(new ObjectPostProcessor<BearerTokenAuthenticationFilter>() {
            @Override
            public BearerTokenAuthenticationFilter postProcess(BearerTokenAuthenticationFilter filter) {
                filter.setAuthenticationFailureHandler(failureHandler);
                return filter;
            }
        })
    );

Have you already tried this approach?

Comment From: jbkervyn

Hi @jzheaux , thanks a lot for pointing that out, I did indeed miss that part in the documentation.