Spring Security OneTimeTokenAuthenticationFilter should propagating the request when there is no token in the request

OneTimeTokenAuthenticationFilter throws an exception if authenticationConverter returns null. However, it seems reasonable that an application will have a downstream filter or controller method that handles /login/ott differently from the filter.

As such, it may be helpful to have it do this:

chain.doFilter(request, response)

instead of:

throw new BadCredentialsException("messsage");

/cc @Kehrlann

Comment From: Kehrlann

Good question. In which context did it come up?

The closest experience we have for this kind of authentication is form-login. While formlogin allows users to override the loginPage to handle displaying a custom login page for submitting credentials, I don't think it allows users to have their own login-processing logic (just override the URL).

We have the same for OTT for now: users can make their own "request a token" page, their own "Submit a token" page, but we don't allow custom authentication request processing.

We should probably keep the same pattern, for consistency.

Comment From: jzheaux

The context is the JavaDoc for AuthenticationConverter (emphasis **mine**):

/**
 * A strategy used for converting from a {@link HttpServletRequest} to an
 * {@link Authentication} of particular type. Used to authenticate with appropriate
 * {@link AuthenticationManager}. **If the result is null, then it signals that no
 * authentication attempt should be made.** It is also possible to throw
 * {@link AuthenticationException} within the {@link #convert(HttpServletRequest)} if
 * there was invalid Authentication scheme value.
 *
 */

While I think your comment is fair regarding form login, since it doesn't yet use AuthenticationConverter I'm not as concerned. Generally speaking, a null return value means that XYZ Security component doesn't care to participate. AuthenticationManager/Provider and AuthorizationManager follow this pattern as well.

Comment From: jzheaux

Please also see https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java#L215