Announcement Announcement Module
Collapse
No announcement yet.
Access Deined Handler not triggering Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Deined Handler not triggering

    Hi,
    I have setup a Resource owner password flow and when I give an incorrect password, my authentication manager throws a BadCredentialException. However, in the ResourceOwnerPasswordTokenGranter, the exception is caught and converted into an InvalidGrantException.

    Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
    try {
    userAuth = authenticationManager.authenticate(userAuth);
    }
    catch (BadCredentialsException e) {
    // If the username/password are wrong the spec says we should send 400/bad grant
    throw new InvalidGrantException(e.getMessage());
    }

    My client gets a json response with error code and error message, but the access denied handler is not invoked.
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />

    <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provide r.error.OAuth2AccessDeniedHandler" />

    Can you please let me know if that is how the framework is designed? I need to invoke another service that will update the failed counts and I was planning to added that in the access denied handler.

    Thanks.

  • #2
    The comment seems to suggest that it is intentional. In any case access denied handlers would not be triggered for authentication errors, in a normal Spring Security filter chain. This one has been explicitly modified to meet the spec and send a 400 response. The InvalidGrantException will be handled by the error handler in the TokenEndpoint.

    Comment

    Working...
    X