OneTimeTokenAuthenticationFilter
throws an exception if authenticationConverter
returns null
. However, it seems reasonable that an application will have a downstream filter or controller method that handles /login/ott
differently from the filter.
As such, it may be helpful to have it do this:
chain.doFilter(request, response)
instead of:
throw new BadCredentialsException("messsage");
/cc @Kehrlann
Comment From: Kehrlann
Good question. In which context did it come up?
The closest experience we have for this kind of authentication is form-login. While formlogin allows users to override the loginPage
to handle displaying a custom login page for submitting credentials, I don't think it allows users to have their own login-processing logic (just override the URL).
We have the same for OTT for now: users can make their own "request a token" page, their own "Submit a token" page, but we don't allow custom authentication request processing.
We should probably keep the same pattern, for consistency.
Comment From: jzheaux
The context is the JavaDoc for AuthenticationConverter
(emphasis **mine**):
/**
* A strategy used for converting from a {@link HttpServletRequest} to an
* {@link Authentication} of particular type. Used to authenticate with appropriate
* {@link AuthenticationManager}. **If the result is null, then it signals that no
* authentication attempt should be made.** It is also possible to throw
* {@link AuthenticationException} within the {@link #convert(HttpServletRequest)} if
* there was invalid Authentication scheme value.
*
*/
While I think your comment is fair regarding form login, since it doesn't yet use AuthenticationConverter
I'm not as concerned. Generally speaking, a null
return value means that XYZ Security component doesn't care to participate. AuthenticationManager/Provider
and AuthorizationManager
follow this pattern as well.
Comment From: jzheaux
Please also see https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java#L215