SECOAUTH-175: Introduced OAuth2AuthenticationFailureHandler

rwinch · Dave Syer · commit 32ecbcce9feb · 2011-12-24T10:05:15.000Z
diff --git a/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/TestNativeApplicationProvider.java b/samples/oauth2/sparklr/src/test/java/org/springframework/security/oauth2/provider/TestNativeApplicationProvider.java
@@ -18,6 +18,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.crypto.codec.Base64;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
@@ -100,14 +101,18 @@ public void testHappyDayWithHeader() throws Exception {
 	 * tests a happy-day flow of the native application profile.
 	 */
 	@Test
+	@SuppressWarnings({ "unchecked", "rawtypes" })
 	public void testSecretRequired() throws Exception {
 		MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
 		formData.add("grant_type", "password");
 		formData.add("client_id", "my-trusted-client-with-secret");
 		formData.add("username", "marissa");
 		formData.add("password", "koala");
-		ResponseEntity<String> response = serverRunning.postForString("/sparklr2/oauth/token", formData);
+		ResponseEntity<Map> response = serverRunning.postForMap("/sparklr2/oauth/token", formData);
 		assertEquals(HttpStatus.UNAUTHORIZED, response.getStatusCode());
+		assertEquals(MediaType.APPLICATION_JSON,response.getHeaders().getContentType());
+		OAuth2Exception oauthException = OAuth2Exception.valueOf(response.getBody());
+		assertTrue("Should be an instance of InvalidClientException. Got "+oauthException,oauthException instanceof InvalidClientException);
 	}
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/filter/ClientCredentialsTokenEndpointFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/filter/ClientCredentialsTokenEndpointFilter.java
@@ -22,6 +22,7 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.web.authentication.OAuth2AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
@@ -38,6 +39,7 @@ public class ClientCredentialsTokenEndpointFilter extends AbstractAuthentication
 
 	protected ClientCredentialsTokenEndpointFilter() {
 		super("/oauth/token");
+		setAuthenticationFailureHandler(new OAuth2AuthenticationFailureHandler());
 	}
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/web/authentication/OAuth2AuthenticationFailureHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/web/authentication/OAuth2AuthenticationFailureHandler.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2011 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.web.authentication;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.web.OAuth2ExceptionRenderer;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.util.Assert;
+import org.springframework.web.context.request.ServletWebRequest;
+
+/**
+ * Writes an {@link InvalidClientException} to the response using the {@link OAuth2ExceptionRenderer}.
+ *
+ * @author Rob Winch
+ */
+public final class OAuth2AuthenticationFailureHandler implements AuthenticationFailureHandler {
+	private OAuth2ExceptionRenderer exceptionRenderer = new OAuth2ExceptionRenderer();
+
+	public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+			AuthenticationException exception) throws IOException, ServletException {
+
+		InvalidClientException result = new InvalidClientException(exception.getMessage(), exception);
+		// TODO: the status code should probably be result.getHttpErrorCode() but it returns 400. The spec seems to
+		// indicate it should be 401. See SECOAUTH-176
+		ResponseEntity<OAuth2Exception> responseEntity = new ResponseEntity<OAuth2Exception>(result,HttpStatus.UNAUTHORIZED);
+
+		try {
+			exceptionRenderer.handleHttpEntityResponse(responseEntity , new ServletWebRequest(request,response));
+		}
+		catch (Exception e) {
+			throw new ServletException("Failed to render "+responseEntity, e);
+		}
+	}
+
+	/**
+	 * Set the {@link OAuth2ExceptionRenderer} to be used. This allows for supporting custom Media Types.
+	 * @param exceptionRenderer
+	 */
+	public void setExceptionRenderer(OAuth2ExceptionRenderer exceptionRenderer) {
+		Assert.notNull(exceptionRenderer,"exceptionRenderer cannot be null");
+		this.exceptionRenderer = exceptionRenderer;
+	}
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/web/authentication/TestOAuth2AuthenticationFailureHandler.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/web/authentication/TestOAuth2AuthenticationFailureHandler.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2011 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.springframework.security.oauth2.web.authentication;
+
+import static org.easymock.EasyMock.createMock;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.provider.web.OAuth2ExceptionRenderer;
+import org.springframework.web.context.request.ServletWebRequest;
+
+/**
+ *
+ * @author Rob Winch
+ */
+public class TestOAuth2AuthenticationFailureHandler {
+	@Rule
+	public ExpectedException thrown = ExpectedException.none();
+
+	private OAuth2ExceptionRendererStub renderer;
+	private HttpServletRequest request;
+	private HttpServletResponse response;
+	private AuthenticationException originalException;
+
+	private OAuth2AuthenticationFailureHandler handler;
+
+	@Before
+	public void setUp() {
+		renderer = new OAuth2ExceptionRendererStub();
+		request = createMock(HttpServletRequest.class);
+		response = createMock(HttpServletResponse.class);
+		originalException = new UsernameNotFoundException("not found");
+
+		handler = new OAuth2AuthenticationFailureHandler();
+		handler.setExceptionRenderer(renderer);
+	}
+
+	@Test
+	public void onAuthenticationFailure() throws Exception {
+		handler.onAuthenticationFailure(request, response, originalException);
+		Object body = renderer.entity.getBody();
+		assertTrue("The entity should be an InvalidClientException. Got "+body,body instanceof InvalidClientException);
+		assertEquals(HttpStatus.UNAUTHORIZED,renderer.entity.getStatusCode());
+		assertSame(request,renderer.webRequest.getNativeRequest());
+		assertSame(response,renderer.webRequest.getNativeResponse());
+	}
+
+	@Test
+	public void setExceptionRendererNullExceptionRenderer() {
+		thrown.expect(IllegalArgumentException.class);
+		thrown.expectMessage("exceptionRenderer cannot be null");
+		handler.setExceptionRenderer(null);
+	}
+
+	/**
+	 * Rather than deal with EasyMock class extension just capture the arguments using this stub
+	 */
+	private static class OAuth2ExceptionRendererStub extends OAuth2ExceptionRenderer {
+		private ResponseEntity<?> entity;
+		private ServletWebRequest webRequest;
+		@Override
+		public void handleHttpEntityResponse(HttpEntity<?> responseEntity, ServletWebRequest webRequest)
+				throws Exception {
+			this.entity = (ResponseEntity<?>) responseEntity;
+			this.webRequest = webRequest;
+		}
+	}
+}
