ExceptionHandlingConfigurer

jzheaux · jzheaux · commit cbe9c7699c18 · 2025-09-03T18:03:42.000-06:00
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java
@@ -231,6 +231,10 @@ public FormLoginConfigurer<H> successForwardUrl(String forwardUrl) {
 	public void init(H http) throws Exception {
 		super.init(http);
 		initDefaultLoginFilter(http);
+		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.defaultAuthenticationEntryPointFor(getAuthenticationEntryPoint(), "FACTOR_PASSWORD");
+		}
 	}
 
 	@Override
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
@@ -28,6 +28,7 @@
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.ui.DefaultResourcesFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -150,6 +151,15 @@ public WebAuthnConfigurer<H> creationOptionsRepository(
 		return this;
 	}
 
+	@Override
+	public void init(H http) throws Exception {
+		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/login"),
+					"FACTOR_WEBAUTHN");
+		}
+	}
+
 	@Override
 	public void configure(H http) throws Exception {
 		UserDetailsService userDetailsService = getSharedOrBean(http, UserDetailsService.class)
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
@@ -186,7 +186,8 @@ public void init(H http) {
 			.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE);
+			exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE,
+					"FACTOR_X509");
 		}
 	}
 
@@ -248,10 +249,7 @@ private AuthorityGrantingAuthenticationProvider(AuthenticationProvider delegate)
 			if (result == null) {
 				return result;
 			}
-			return result
-				.toBuilder()
-				.authorities((a) -> a.add(new SimpleGrantedAuthority("FACTOR_X509")))
-				.build();
+			return result.toBuilder().authorities((a) -> a.add(new SimpleGrantedAuthority("FACTOR_X509"))).build();
 		}
 
 		@Override
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -41,6 +41,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.Authentication;
@@ -374,6 +375,10 @@ public void init(B http) throws Exception {
 			http.authenticationProvider(new OidcAuthenticationRequestChecker());
 		}
 		this.initDefaultLoginFilter(http);
+		ExceptionHandlingConfigurer<B> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.defaultAuthenticationEntryPointFor(getAuthenticationEntryPoint(), "FACTOR_AUTHORIZATION_CODE");
+		}
 	}
 
 	@Override
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -259,6 +259,10 @@ public void init(H http) {
 		if (authenticationProvider != null) {
 			http.authenticationProvider(authenticationProvider);
 		}
+		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.defaultAuthenticationEntryPointFor(this.authenticationEntryPoint, "FACTOR_BEARER");
+		}
 	}
 
 	@Override
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
@@ -16,10 +16,15 @@
 
 package org.springframework.security.config.annotation.web.configurers.ott;
 
+import java.io.IOException;
 import java.util.Collections;
 import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
 
+import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpMethod;
@@ -35,8 +40,15 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.FormPostRedirectStrategy;
+import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
@@ -55,6 +67,7 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * An {@link AbstractHttpConfigurer} for One-Time Token Login.
@@ -134,6 +147,12 @@ public void init(H http) throws Exception {
 		AuthenticationProvider authenticationProvider = getAuthenticationProvider();
 		http.authenticationProvider(postProcess(authenticationProvider));
 		intiDefaultLoginFilter(http);
+		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			AuthenticationEntryPoint entryPoint = new PostAuthenticationEntryPoint(
+					this.tokenGeneratingUrl + "?username={u}", Map.of("u", Authentication::getName));
+			exceptions.defaultAuthenticationEntryPointFor(entryPoint, "FACTOR_OTT");
+		}
 	}
 
 	private void intiDefaultLoginFilter(H http) {
@@ -391,4 +410,52 @@ public ApplicationContext getContext() {
 		return this.context;
 	}
 
+	private static final class PostAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+		private final String entryPointUri;
+
+		private final Map<String, Function<Authentication, String>> params;
+
+		private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
+		private RedirectStrategy redirectStrategy = new FormPostRedirectStrategy();
+
+		private PostAuthenticationEntryPoint(String entryPointUri,
+				Map<String, Function<Authentication, String>> params) {
+			this.entryPointUri = entryPointUri;
+			this.params = params;
+		}
+
+		@Override
+		public void commence(HttpServletRequest request, HttpServletResponse response,
+				AuthenticationException authException) throws IOException, ServletException {
+			Authentication authentication = getAuthentication(authException);
+			Assert.notNull(authentication, "could not find authentication in order to perform post");
+			Map<String, String> params = this.params.entrySet()
+				.stream()
+				.collect(Collectors.toMap(Map.Entry::getKey, (entry) -> entry.getValue().apply(authentication)));
+			UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(this.entryPointUri);
+			CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+			if (csrf != null) {
+				builder.queryParam(csrf.getParameterName(), csrf.getToken());
+			}
+			String entryPointUrl = builder.build(false).expand(params).toUriString();
+			this.redirectStrategy.sendRedirect(request, response, entryPointUrl);
+		}
+
+		private Authentication getAuthentication(AuthenticationException authException) {
+			Authentication authentication = authException.getAuthenticationRequest();
+			if (authentication != null && authentication.isAuthenticated()) {
+				return authentication;
+			}
+			authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
+			if (authentication != null && authentication.isAuthenticated()) {
+				return authentication;
+			}
+			return null;
+		}
+
+	}
+
 }
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
@@ -33,6 +33,7 @@
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider;
@@ -305,6 +306,10 @@ public void init(B http) throws Exception {
 		if (this.authenticationManager == null) {
 			registerDefaultAuthenticationProvider(http);
 		}
+		ExceptionHandlingConfigurer<B> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.defaultAuthenticationEntryPointFor(getAuthenticationEntryPoint(), "FACTOR_SAML_RESPONSE");
+		}
 	}
 
 	/**
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java b/core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationDecision.java
@@ -27,7 +27,7 @@
  * @author Marcus Da Coregio
  * @since 5.6
  */
-public class AuthorityAuthorizationDecision extends AuthorizationDecision {
+public class AuthorityAuthorizationDecision extends AuthorizationDecision implements AuthorizationRequest {
 
 	@Serial
 	private static final long serialVersionUID = -8338309042331376592L;
diff --git a/core/src/main/java/org/springframework/security/authorization/AuthorizationRequest.java b/core/src/main/java/org/springframework/security/authorization/AuthorizationRequest.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization;
+
+import java.util.Collection;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public interface AuthorizationRequest {
+
+	Collection<GrantedAuthority> getAuthorities();
+
+}
diff --git a/web/src/main/java/org/springframework/security/web/access/ExceptionTranslationFilter.java b/web/src/main/java/org/springframework/security/web/access/ExceptionTranslationFilter.java
@@ -196,7 +196,8 @@ private void handleAccessDeniedException(HttpServletRequest request, HttpServlet
 			}
 			AuthenticationException ex = new InsufficientAuthenticationException(
 					this.messages.getMessage("ExceptionTranslationFilter.insufficientAuthentication",
-							"Full authentication is required to access this resource"));
+							"Full authentication is required to access this resource"),
+					exception);
 			ex.setAuthenticationRequest(authentication);
 			sendStartAuthentication(request, response, chain, ex);
 		}

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,8 @@ public void init(H http) {`
`186`	`186`	`.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());`
`187`	`187`	`ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);`
`188`	`188`	`if (exceptions != null) {`
`189`		`- exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE);`
	`189`	`+ exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE,`
	`190`	`+ "FACTOR_X509");`
`190`	`191`	`}`
`191`	`192`	`}`
`192`	`193`
`@@ -248,10 +249,7 @@ private AuthorityGrantingAuthenticationProvider(AuthenticationProvider delegate)`
`248`	`249`	`if (result == null) {`
`249`	`250`	`return result;`
`250`	`251`	`}`
`251`		`- return result`
`252`		`- .toBuilder()`
`253`		`- .authorities((a) -> a.add(new SimpleGrantedAuthority("FACTOR_X509")))`
`254`		`- .build();`
	`252`	`+ return result.toBuilder().authorities((a) -> a.add(new SimpleGrantedAuthority("FACTOR_X509"))).build();`
`255`	`253`	`}`
`256`	`254`
`257`	`255`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -259,6 +259,10 @@ public void init(H http) {`
`259`	`259`	`if (authenticationProvider != null) {`
`260`	`260`	`http.authenticationProvider(authenticationProvider);`
`261`	`261`	`}`
	`262`	`+ ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);`
	`263`	`+ if (exceptions != null) {`
	`264`	`+ exceptions.defaultAuthenticationEntryPointFor(this.authenticationEntryPoint, "FACTOR_BEARER");`
	`265`	`+ }`
`262`	`266`	`}`
`263`	`267`
`264`	`268`	`@Override`