Spring Security SEC-1586: RemoteAuthenticationException is not catch by spring security filter

Ludovic Praud (Migrated from SEC-1586) said:

When using remote authentication over RMI, I use RemoteAuthenticationManagerImpl class which translate AuthenticationException into RemoteAuthenticationException. When the exception come back to client layer, spring security filter does not catch it because it is not of AuthenticationException type. This is not very useful because I'd expect spring security filter to handle this transparently. But right known I need to translate this exception myself. It would be cool to provide such translation on the client side implementation of RemoteAuthenticationProvider.

Comment From: spring-projects-issues

Per Holmberg said:

As a work-around, you can create and use this bean class:

public class FixedRemoteAuthenticationProvider extends RemoteAuthenticationProvider {
    public Authentication authenticate(Authentication auth) {
        try {
            return super.authenticate(auth);
        } catch (RemoteAuthenticationException rae) {
            throw new AuthenticationException(rae.getMessage(), rae) { };
        }
    }
}

Comment From: rwinch

This issue is ideal for contributions. The solution would modify RemoteAuthenticationProvider to have a boolean property named wrapRemoteAuthenticationException with a default value of false. If it was true, the RemoteAuthenticationException would be wrapped in an AuthenticationException. The solution should also include tests.

Comment From: dkodippily

@rwinch can I work on this ?

Comment From: holmis83

Since serialization-based remoting is deprecated, maybe this should be deprecated too? (To favour REST/OAuth2 type of authentication, which I changed to.)

Comment From: jzheaux

@holmis83 thanks for bringing this up. To be clear, are you referring to https://github.com/spring-projects/spring-framework/issues/25379 or something else?

Comment From: holmis83

@holmis83 thanks for bringing this up. To be clear, are you referring to spring-projects/spring-framework#25379 or something else?

@jzheaux Yes, RemoteAuthenticationManager is (was?) typically used in conjunction with httpinvoker package, which was deprecated with the above issue.

Comment From: SeifMostafa

@rwinch I think it's deprecated by closed #10384 , If not can you clarify and provide guide lines to work on it - if possible - ?

Comment From: rwinch

@SeifMostafa You are right. What's more is that for 6.x RMI support was removed. See gh-10366