Spring Security SEC-3008: SimpleUrlAuthenticationFailureHandler does not save AuthenticationException in some cases

Abhijit Sarkar (Migrated from SEC-3008) said:

protected final void saveException(HttpServletRequest request,
            AuthenticationException exception) {
        if (forwardToDestination) {
            request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
        }
// more code
}

We have REST services that do not have the concept of a forwarding page but we must catch all auth errors and turn them into something more digestible for the user. The block of code above unnecessarily needed us to subclass SimpleUrlAuthenticationFailureHandler. It is short sightedness to check for the existence of a "page" before setting the exception. It could be set in the request anyway.

Comment From: marcusdacoregio

You can handle AuthenticationException in your REST API by defining a @RestControllerAdvice that would do the translation of the exception to the proper message to the user, like so:

@RestControllerAdvice
public class RestApiControllerAdvice {

    @ExceptionHandler(AuthenticationException.class)
    public ResponseEntity<YourErrorResponse> onAuthenticationException(AuthenticationException ex) {
        ...
        YourErrorResponse response = buildYourErrorResponseBasedOnException();
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body(response);
    }

}

You can refer to the Spring Security reference documentation to know more about Handling Security Exceptions.

I'm closing this but if there is something else to discuss we may reopen it.