OneTimeTokenAuthenticationFilter throws an exception if authenticationConverter returns null. However, it seems reasonable that an application will have a downstream filter or controller method that handles /login/ott differently from the filter.

As such, it may be helpful to have it do this:

chain.doFilter(request, response)

instead of:

throw new BadCredentialsException("messsage");

/cc @Kehrlann

Comment From: Kehrlann

Good question. In which context did it come up?

The closest experience we have for this kind of authentication is form-login. While formlogin allows users to override the loginPage to handle displaying a custom login page for submitting credentials, I don't think it allows users to have their own login-processing logic (just override the URL).

We have the same for OTT for now: users can make their own "request a token" page, their own "Submit a token" page, but we don't allow custom authentication request processing.

We should probably keep the same pattern, for consistency.

Comment From: jzheaux

The context is the JavaDoc for AuthenticationConverter (emphasis **mine**):

/**
 * A strategy used for converting from a {@link HttpServletRequest} to an
 * {@link Authentication} of particular type. Used to authenticate with appropriate
 * {@link AuthenticationManager}. **If the result is null, then it signals that no
 * authentication attempt should be made.** It is also possible to throw
 * {@link AuthenticationException} within the {@link #convert(HttpServletRequest)} if
 * there was invalid Authentication scheme value.
 *
 */

While I think your comment is fair regarding form login, since it doesn't yet use AuthenticationConverter I'm not as concerned. Generally speaking, a null return value means that XYZ Security component doesn't care to participate. AuthenticationManager/Provider and AuthorizationManager follow this pattern as well.

Comment From: jzheaux

Please also see https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java#L215