Menu
I have an app using Spring Security 3.0.x. There I have a custom AuthenticationProvider:
public class AppAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
...
if (!check1()) throw new UsernameNotFoundException();
if (!check2()) throw new DisabledException();
...
}
I'd like to send cutom response codes on each exception, for example 404 for UsernameNotFoundException, 403 for DisabledException etc. For now I just have authentication-failure-url in my spring security configuration so I get redirect to it on each exception in authenticate().
452
Spring MVC provides exception handling for your web application to make sure you are sending your own exception page instead of the server-generated exception to the user. The @ExceptionHandler annotation is used to detect certain runtime exceptions and send responses according to the exception.
Simply put, Spring Security hold the principal information of each authenticated user in a ThreadLocal – represented as an Authentication object. In order to construct and set this Authentication object – we need to use the same approach Spring Security typically uses to build the object on a standard authentication.
Exception Handling in Spring Boot helps to deal with errors and exceptions present in APIs so as to deliver a robust enterprise application. This article covers various ways in which exceptions can be handled in a Spring Boot Project.
Since this is an exception handling, we are using the Spring security . excepTionHandling() method and telling that we like to handle the access denied use case by passing custom access denied handler to the accessDeniedHandler() method ( . exceptionHandling(). accessDeniedHandler(accessDeniedHandler() ).
Authentication failure handler :
public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
super.onAuthenticationFailure(request, response, exception);
if(exception.getClass().isAssignableFrom(UsernameNotFoundException.class)) {
showMessage("BAD_CREDENTIAL");
} else if (exception.getClass().isAssignableFrom(DisabledException.class)) {
showMessage("USER_DISABLED");
}
}
configuration :
<bean id="customAuthenticationFailureHandler"
class="com.apackage.CustomAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/index.jsp"/>
</bean>
<security:http auto-config="true">
<security:form-login default-target-url="/welcome.jsp" authentication-failure-handler-ref="customAuthenticationFailureHandler" />
</security:http>
It's usually a bad idea to provide details on why an authentication failed as it can provide an attacker with useful information. For example, it can allow them to probe for valid account names.
If you need to customize things, then rather than using an authentication-failure-url, you can use authentication-failure-handler-ref to inject a custom AuthenticationFailureHandler bean where you can implement different behaviour depending on the exception.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
