Spring Security ExceptionHandlingConfigurer not expected behavior with oauth2

Expected Behavior

It's possible to specify fallback option for defaultAuthenticationEntryPoint like

.exceptionHandling { exceptionHandling ->
      exceptionHandling.defaultAuthenticationEntryPointFallback(Http403ForbiddenEntryPoint())
    }

Current Behavior

It uses the first mapping as default which is really very strange, because if it didn't match while iterating in DelegatingEntryPoint, why we should use it as a fallback?

entryPoint.setDefaultEntryPoint(this.defaultEntryPointMappings.values().iterator().next());

Context When we are configuring oauth2 login filter, it also configures defaultEntryPointMappings, but should match only web page resources (see). On practice it will match any request due to the 1) it uses first mapping as default entry point 2) in case we have only 1 mapping, then OAuth2LoginConfigurer register DelegatingAuthenticationEntryPoint that's using defaultEntryPoint as itself

And if we try to achieve behavior: 401/403 on API calls and redirect to login for web page resources - it's hard to do.

Like a workaround knowing that first mapping is using as defaultEntryPoint we can configure like this:

    .exceptionHandling { exceptionHandling ->
      // exceptionHandling.authenticationEntryPointFallback(Http403ForbiddenEntryPoint())
      exceptionHandling.defaultAuthenticationEntryPointFor(
        Http403ForbiddenEntryPoint(),
        NegatedRequestMatcher(AnyRequestMatcher.INSTANCE)
      )
    }

Suggested approach


private AuthenticationEntryPoint defaultEntryPointFallback = new Http403ForbiddenEntryPoint();

public ExceptionHandlingConfigurer<H> defaultAuthenticationEntryPointFallback(AuthenticationEntryPoint entryPoint) {
     this.defaultEntryPointFallback = entryPoint;
     return this;
}

private AuthenticationEntryPoint createDefaultEntryPoint(H http) {
    DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(this.defaultEntryPointMappings);
    entryPoint.setDefaultEntryPoint(this.defaultEntryPointFallback);
    return entryPoint;
}

The similar code would be nice to have for AccessDeniedHandler

I know that will broke current behavior, when on any forbidden request we got redirected to the login page, but I don't think it was done intentionally looking to the match filter with media type only for web page resources, seems like a mistake. Open to your thoughts

Comment From: jgrandja

@scrat98 Apologies but I'm not understanding the issue you are having.

What would be helpful and efficient on my end is if you can put together a minimal sample that reproduces the issue you are having. Thanks.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.