I have created a JwtAuthenticationFilter class that includes this method:
@Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { Authentication authentication = null; if(hasJsonToken(request)) { JwtAuthenticationToken jwtAuthenticationToken = new JwtAuthenticationToken(getJsonToken(request)); authentication = getAuthenticationManager().authenticate(jwtAuthenticationToken); } else { throw new AuthenticationCredentialsNotFoundException(AUTHENTICATION_CREDENTIALS_NOT_FOUND_MSG); } return authentication; }
If no JWT is provided, an AuthenticationCredentialsNotFoundException is thrown. I expect this to call the begin method in my AuthenticationEntryPoint - which looks like this:
@Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { response.sendError(HttpStatus.UNAUTHORIZED.value(),HttpStatus.UNAUTHORIZED.getReasonPhrase()); }
The begin method is not a call. This is in my spring security configuration (or part of it):
@Bean public RestAuthenticationEntryPoint restAuthenticationEntryPoint() { return new RestAuthenticationEntryPoint(); } protected void configure(HttpSecurity http) throws Exception { http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class) .exceptionHandling().authenticationEntryPoint(restAuthenticationEntryPoint()).and() .csrf().disable() .authorizeRequests().antMatchers(AUTHORISED_SERVICE_REQUESTS_ANT_MATCHER).authenticated() .anyRequest().permitAll(); }
Iβm not sure that I am not here, and I hope someone will tell me this. Thanks
My SecurityConfig class extends WebSecurityConfigurerAdapter and annotates with @Configuration and @EnableWebSecurity
@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { ... }
I am using spring boot.
So ... I ended up getting the behavior that I wanted by creating a custom AuthenticationFailureHandler and registering it in my F.ilter authentication
jwtAuthenticationFilter.setAuthenticationFailureHandler(new JwtAuthenticationFailureHandler());
Now my question is: is this the right thing to do and what is the difference between AuthenticationEntryPoint and AuthenticationFailureHandler?