SECOAUTH-175: Introduced OAuth2AuthenticationFailureHandler

Author: rwinch

samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/TestNativeApplicationProvider.java

@@ -18,6 +18,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.crypto.codec.Base64;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
@@ -100,14 +101,18 @@ public void testHappyDayWithHeader() throws Exception {
  * tests a happy-day flow of the native application profile.
  */
 @Test
+@SuppressWarnings({ "unchecked", "rawtypes" })
 public void testSecretRequired() throws Exception {
 MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
 formData.add("grant_type", "password");
 formData.add("client_id", "my-trusted-client-with-secret");
 formData.add("username", "marissa");
 formData.add("password", "koala");
-ResponseEntity<String> response = serverRunning.postForString("/sparklr2/oauth/token", formData);
+ResponseEntity<Map> response = serverRunning.postForMap("/sparklr2/oauth/token", formData);
 assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
+assertEquals(MediaType.APPLICATION_JSON,response.getHeaders().getContentType());
+OAuth2Exception oauthException = OAuth2Exception.valueOf(response.getBody());
+assertTrue("Should be an instance of InvalidClientException. Got "+oauthException,oauthException instanceof InvalidClientException);
 }
 
 /**

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/filter/ClientCredentialsTokenEndpointFilter.java

@@ -22,6 +22,7 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.web.authentication.OAuth2AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
@@ -38,6 +39,7 @@ public class ClientCredentialsTokenEndpointFilter extends AbstractAuthentication
 
 protected ClientCredentialsTokenEndpointFilter() {
 super("/oauth/token");
+setAuthenticationFailureHandler(new OAuth2AuthenticationFailureHandler());
 }
 
 @Override

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/web/authentication/OAuth2AuthenticationFailureHandler.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2011 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.web.authentication;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.web.OAuth2ExceptionRenderer;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.util.Assert;
+import org.springframework.web.context.request.ServletWebRequest;
+
+/**
+ * Writes an {@link InvalidClientException} to the response using the {@link OAuth2ExceptionRenderer}.
+ *
+ * @author Rob Winch
+ */
+public final class OAuth2AuthenticationFailureHandler implements AuthenticationFailureHandler {
+private OAuth2ExceptionRenderer exceptionRenderer = new OAuth2ExceptionRenderer();
+
+public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+AuthenticationException exception) throws IOException, ServletException {
+
+InvalidClientException result = new InvalidClientException(exception.getMessage(), exception);
+// TODO: the status code should probably be result.getHttpErrorCode() but it returns 400. The spec seems to
+// indicate it should be 401. See SECOAUTH-176
+ResponseEntity<OAuth2Exception> responseEntity = new ResponseEntity<OAuth2Exception>(result,HttpStatus.UNAUTHORIZED);
+
+try {
+exceptionRenderer.handleHttpEntityResponse(responseEntity , new ServletWebRequest(request,response));
+}
+catch (Exception e) {
+throw new ServletException("Failed to render "+responseEntity, e);
+}
+}
+
+/**
+ * Set the {@link OAuth2ExceptionRenderer} to be used. This allows for supporting custom Media Types.
+ * @param exceptionRenderer
+ */
+public void setExceptionRenderer(OAuth2ExceptionRenderer exceptionRenderer) {
+Assert.notNull(exceptionRenderer,"exceptionRenderer cannot be null");
+this.exceptionRenderer = exceptionRenderer;
+}
+}

spring-security-oauth2/src/test/java/org/springframework/security/oauth2/web/authentication/TestOAuth2AuthenticationFailureHandler.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2011 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.web.authentication;
+
+import static org.easymock.EasyMock.createMock;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.provider.web.OAuth2ExceptionRenderer;
+import org.springframework.web.context.request.ServletWebRequest;
+
+/**
+ *
+ * @author Rob Winch
+ */
+public class TestOAuth2AuthenticationFailureHandler {
+@Rule
+public ExpectedException thrown = ExpectedException.none();
+
+private OAuth2ExceptionRendererStub renderer;
+private HttpServletRequest request;
+private HttpServletResponse response;
+private AuthenticationException originalException;
+
+private OAuth2AuthenticationFailureHandler handler;
+
+@Before
+public void setUp() {
+renderer = new OAuth2ExceptionRendererStub();
+request = createMock(HttpServletRequest.class);
+response = createMock(HttpServletResponse.class);
+originalException = new UsernameNotFoundException("not found");
+
+handler = new OAuth2AuthenticationFailureHandler();
+handler.setExceptionRenderer(renderer);
+}
+
+@Test
+public void onAuthenticationFailure() throws Exception {
+handler.onAuthenticationFailure(request, response, originalException);
+Object body = renderer.entity.getBody();
+assertTrue("The entity should be an InvalidClientException. Got "+body,body instanceof InvalidClientException);
+assertEquals(HttpStatus.UNAUTHORIZED,renderer.entity.getStatusCode());
+assertSame(request,renderer.webRequest.getNativeRequest());
+assertSame(response,renderer.webRequest.getNativeResponse());
+}
+
+@Test
+public void setExceptionRendererNullExceptionRenderer() {
+thrown.expect(IllegalArgumentException.class);
+thrown.expectMessage("exceptionRenderer cannot be null");
+handler.setExceptionRenderer(null);
+}
+
+/**
+ * Rather than deal with EasyMock class extension just capture the arguments using this stub
+ */
+private static class OAuth2ExceptionRendererStub extends OAuth2ExceptionRenderer {
+private ResponseEntity<?> entity;
+private ServletWebRequest webRequest;
+@Override
+public void handleHttpEntityResponse(HttpEntity<?> responseEntity, ServletWebRequest webRequest)
+throws Exception {
+this.entity = (ResponseEntity<?>) responseEntity;
+this.webRequest = webRequest;
+}
+}
+}