Example test showing the minimalist response to an empty Authorizatio… #16976
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the idea, @danielshiplett, though this deviates from the RFC which states (emphasis mine):
As such, I'm going to close this PR. Note that you can publish your own entry point that does as you describe: class MyAuthenticationEntryPoint implements AuthenticationEntryPoint {
private final BearerAuthenticationEntryPoint delegate = new BearerAuthenticationEntryPoint();
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException ex) {
if (ex instanceof InsufficientAuthenticationException insufficient) {
this.delegate.commence(request, response, new OAuth2AuthenticationException("missing token"));
return;
}
this.delegate.commence(request, response, ex);
}
} |
jzheaux
added
type: enhancement
|
Hey Josh. Great feedback. Thanks for the callout on the RFC and the example. I take it, like most of the Beans, if I create my own |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…n header
relates to #16977
We recently had an application request fail to provide any bearer token in the Authorization header. They received a 401 as expected. However, the
www-authenticateresponse header only had the wordBearerin the value. This made it difficult to debug as it implied that they were sending a bearer token when they weren't.I suggest an improvement in Spring Security to add an error message such as
missing_tokenor some other similar value to help identify the root problem.This PR contains a test case that will pass when the additional error message is provided.
I am willing to provide a fix for this as well. However, I don't know where in Spring Security to implement such a fix. I know about
BearerTokenAuthenticationEntryPointwhere other bearer token related errors have their details added. However, that doesn't feel right in this case because we aren't 100% guaranteed the intent of the request was to provide a bearer token (some other form of Authorization may be supported along with OAuth2 Resource Server).