Spring Security Add defaultAuthenticationEntryPointFor for ExceptionHandlingSpec

ExceptionHandlingConfigurer allows for additional AuthenticationEntryPoints to be wired by a RequestMatcher:

exceptionHandling()
    .defaultAuthenticationEntryPointFor(
        myAuthenticationEntryPoint(), 
        new AntRequestMatcher("/path/**"))

ExceptionHandlingSpec does not have this support. It is not possible by a user to add an additional entry point to the list of default entry points configured by the built-in extensions. It is only possible to fully override the entry points:

.exceptionHandling()
    .authenticationEntryPoint(myServerAuthenticationEntryPoint())

Context We are using spring-oauth2 support to integrate with OIDC IDP server. We would like to preserve the default entry points (for instance, for HTML requests) contributed by ServerHttpSecurity.OAuth2LoginSpec#setDefaultEntryPoints and add an additional entry point for AJAX calls from our React frontend. With ExceptionHandlingConfigurer we used something like this:

exceptionHandling().defaultAuthenticationEntryPointFor(
                this::sendAjaxResponse,
                new RequestHeaderRequestMatcher("X-Requested-With", "XMLHttpRequest"));
...
private void sendAjaxResponse(
        HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) {

    String referer = request.getHeader(HttpHeaders.REFERER);
    if (referer != null) {
        // save the URL to redirect user to the current page upon successful login
    }

    // JS uses Location header to change the window location to IDP login page and allow user to login back
    response.setHeader(HttpHeaders.LOCATION, getIdpLoginUrl());
    response.setStatus(HttpStatus.UNAUTHORIZED.value());
}

Now with ExceptionHandlingSpec we cannot achieve the same without hacks like copying ServerHttpSecurity.OAuth2LoginSpec#setDefaultEntryPoints implementation.

Comment From: jzheaux

Hi, @orange-buffalo. This might be an option, but I wonder if there would be more impact here in simplifying the construction of ServerWebExchangeMatchers. Based on

We would like to preserve the default entry points (for instance, for HTML requests)

it seems that the majority of the code you are referring to is ServerWebExchangeMatcher boilerplate.

If you could do something like:

ServerWebExchangeMatcher xhr = ServerWebExchangeMatchers.xhr();
ServerWebExchangeMatcher html = ServerWebExchangeMatchers.html();
return new DelegatingServerAuthenticationEntryPoint(
    new DelegateEntry(xhr, this::sendAjaxResponse),
    new DelegateEntry(html, new RedirectServerAuthenticationEntryPoint("/login"))
);

Would that simplify things?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.