Announcement Announcement Module
No announcement yet.
Access Deined Handler not triggering Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Deined Handler not triggering

    I have setup a Resource owner password flow and when I give an incorrect password, my authentication manager throws a BadCredentialException. However, in the ResourceOwnerPasswordTokenGranter, the exception is caught and converted into an InvalidGrantException.

    Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
    try {
    userAuth = authenticationManager.authenticate(userAuth);
    catch (BadCredentialsException e) {
    // If the username/password are wrong the spec says we should send 400/bad grant
    throw new InvalidGrantException(e.getMessage());

    My client gets a json response with error code and error message, but the access denied handler is not invoked.
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />

    <bean id="oauthAccessDeniedHandler" class=" r.error.OAuth2AccessDeniedHandler" />

    Can you please let me know if that is how the framework is designed? I need to invoke another service that will update the failed counts and I was planning to added that in the access denied handler.


  • #2
    The comment seems to suggest that it is intentional. In any case access denied handlers would not be triggered for authentication errors, in a normal Spring Security filter chain. This one has been explicitly modified to meet the spec and send a 400 response. The InvalidGrantException will be handled by the error handler in the TokenEndpoint.