fixes #3

Author: sephiroth-j

CHANGELOG.md

@@ -3,6 +3,8 @@
 ## Unreleased
 ### ⚠ Breaking
 ### ⭐ New Features
+- Allow to change the default behaviour when an authentication failure occurs (Web Servlet only) (fixes [#3](https://github.com/sephiroth-j/spring-security-ltpa2-core/issues/3))
+
 ### 🐞 Bugs Fixed
 
 ##  v1.0.0 - 2020-01-05

src/main/java/de/sephirothj/spring/security/ltpa2/Ltpa2Configurer.java

@@ -21,9 +21,11 @@
 import lombok.experimental.Accessors;
 import org.springframework.http.HttpHeaders;
 import org.springframework.lang.NonNull;
+import org.springframework.lang.Nullable;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.util.Assert;
 
@@ -111,6 +113,15 @@ public class Ltpa2Configurer extends AbstractHttpConfigurer<Ltpa2Configurer, Htt
 	@Setter
 	private boolean allowExpiredToken = false;
 
+	/**
+	 * allows to change the default behaviour when an authentication failure occurs.
+	 * <p>
+	 * The default is to respond with 403 status code</p>
+	 */
+	@Setter
+	@Nullable
+	private AuthenticationFailureHandler authFailureHandler;
+
 	@Override
 	public void configure(HttpSecurity builder) throws Exception
 	{
@@ -123,6 +134,9 @@ public void configure(HttpSecurity builder) throws Exception
 		ltpaFilter.setSharedKey(sharedKey);
 		ltpaFilter.setSignerKey(signerKey);
 		ltpaFilter.setAllowExpiredToken(allowExpiredToken);
+		if (authFailureHandler != null) {
+			ltpaFilter.setAuthFailureHandler(authFailureHandler);
+		}
 		ltpaFilter.afterPropertiesSet();
 		builder.addFilterAt(ltpaFilter, AbstractPreAuthenticatedProcessingFilter.class);
 	}

src/main/java/de/sephirothj/spring/security/ltpa2/Ltpa2Filter.java

@@ -27,6 +27,7 @@
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
 import org.springframework.lang.NonNull;
 import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
@@ -35,6 +36,8 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
@@ -107,6 +110,18 @@ public final class Ltpa2Filter extends OncePerRequestFilter
 	@Setter
 	private boolean allowExpiredToken = false;
 
+	/**
+	 * allows to change the default behaviour when an authentication failure occurs.
+	 * <p>
+	 * The default is to respond with 403 status code</p>
+	 */
+	@Setter
+	@NonNull
+	private AuthenticationFailureHandler authFailureHandler = (request, response, exception) ->
+	{
+		response.sendError(HttpStatus.FORBIDDEN.value(), exception.getLocalizedMessage());
+	};
+
 	@Override
 	public void afterPropertiesSet()
 	{
@@ -116,6 +131,7 @@ public void afterPropertiesSet()
 		Assert.notNull(headerValueIdentifier, "The headerValueIdentifier must not be null");
 		Assert.notNull(signerKey, "A signerKey is required");
 		Assert.notNull(sharedKey, "A sharedKey is required");
+		Assert.notNull(authFailureHandler, "An authFailureHandler is required");
 		if (allowExpiredToken)
 		{
 			log.warn("Expired LTPA2 tokens are allowed, this should only be used for testing!");
@@ -173,7 +189,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		catch (AuthenticationException invalidTokenEx)
 		{
 			SecurityContextHolder.clearContext();
-			response.sendError(HttpServletResponse.SC_FORBIDDEN, invalidTokenEx.getLocalizedMessage());
+			authFailureHandler.onAuthenticationFailure(request, response, invalidTokenEx);
 			return;
 		}
 
@@ -186,9 +202,9 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 	 * @param encryptedToken the encrpyted token that sould be verified
 	 * @return a user record but never {@code null}
 	 * @throws AuthenticationException if the token was malformed
-	 * @throws AuthenticationException if the token is expired
-	 * @throws AuthenticationException if the token signature is invalid
-	 * @throws AuthenticationException if the user was not found or has not granted authorities
+	 * @throws InsufficientAuthenticationException if the token is expired
+	 * @throws InsufficientAuthenticationException if the token signature is invalid
+	 * @throws UsernameNotFoundException if the user was not found or has not granted authorities
 	 */
 	@NonNull
 	private UserDetails validateLtpaTokenAndLoadUser(@NonNull final String encryptedToken) throws AuthenticationException
@@ -209,10 +225,15 @@ private UserDetails validateLtpaTokenAndLoadUser(@NonNull final String encrypted
 			final Ltpa2Token token = Ltpa2Utils.makeInstance(ltpaToken);
 			return userDetailsService.loadUserByUsername(token.getUser());
 		}
+		catch (UsernameNotFoundException ex)
+		{
+			log.debug("User not found", ex);
+			throw ex;
+		}
 		catch (AuthenticationException ex)
 		{
-			log.debug("User not found or token is malformed", ex);
-			throw new InsufficientAuthenticationException("token invalid");
+			log.debug("token is malformed", ex);
+			throw new InsufficientAuthenticationException("token invalid", ex);
 		}
 	}
 }

src/main/java/de/sephirothj/spring/security/ltpa2/reactive/Ltpa2AuthConverter.java

@@ -128,7 +128,7 @@ private void checkForExpiredToken(final String ltpaToken, final SynchronousSink<
 		catch (AuthenticationException e)
 		{
 			// do not produce mono error, just log and produce empty mono as by contract of ServerAuthenticationConverter
-			log.warn(e.getLocalizedMessage());
+			log.warn(e.getLocalizedMessage(), e);
 		}
 	}
 
@@ -148,7 +148,7 @@ private void checkTokenSignature(final String ltpaToken, final SynchronousSink<S
 		catch (AuthenticationException e)
 		{
 			// do not produce mono error, just log and produce empty mono as by contract of ServerAuthenticationConverter
-			log.warn(e.getLocalizedMessage());
+			log.warn(e.getLocalizedMessage(), e);
 		}
 	}
 
@@ -171,7 +171,7 @@ public Mono<Authentication> convert(ServerWebExchange exchange)
 			.map(encryptedToken -> Ltpa2Utils.decryptLtpa2Token(encryptedToken, sharedKey))
 			.onErrorResume(e ->
 			{
-				log.warn(e.getLocalizedMessage());
+				log.warn(e.getLocalizedMessage(), e);
 				return Mono.empty();
 			})
 			.handle(this::checkForExpiredToken)

src/test/java/de/sephirothj/spring/security/ltpa2/Ltpa2ConfigurerTest.java

@@ -15,12 +15,18 @@
  */
 package de.sephirothj.spring.security.ltpa2;
 
+import java.security.PublicKey;
+import javax.crypto.SecretKey;
 import org.junit.jupiter.api.Test;
-import org.mockito.ArgumentMatchers;
+import org.mockito.ArgumentCaptor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
@@ -37,15 +43,57 @@ void testConfigure() throws Exception
 	{
 		HttpSecurity httpSecurity = mock(HttpSecurity.class);
 		given(httpSecurity.getSharedObject(UserDetailsService.class)).will(invocation -> mock(invocation.getArgument(0)));
+		final String headerName = "header";
+		final String cookieName = "cookie";
+		final SecretKey sharedKey = LtpaKeyUtils.decryptSharedKey(Constants.ENCRYPTED_SHARED_KEY, Constants.ENCRYPTION_PASSWORD);
+		final PublicKey publicKey = LtpaKeyUtils.decodePublicKey(Constants.ENCODED_PUBLIC_KEY);
 
 		new Ltpa2Configurer()
-			.headerName("header")
-			.cookieName("cookie")
+			.headerName(headerName)
+			.cookieName(cookieName)
 			.allowExpiredToken(true)
-			.sharedKey(LtpaKeyUtils.decryptSharedKey(Constants.ENCRYPTED_SHARED_KEY, Constants.ENCRYPTION_PASSWORD))
-			.signerKey(LtpaKeyUtils.decodePublicKey(Constants.ENCODED_PUBLIC_KEY))
+			.sharedKey(sharedKey)
+			.signerKey(publicKey)
 			.configure(httpSecurity);
 
-		verify(httpSecurity).addFilterAt(ArgumentMatchers.isA(Ltpa2Filter.class), eq(AbstractPreAuthenticatedProcessingFilter.class));
+		ArgumentCaptor<Ltpa2Filter> configuredFilter = ArgumentCaptor.forClass(Ltpa2Filter.class);
+		verify(httpSecurity).addFilterAt(configuredFilter.capture(), eq(AbstractPreAuthenticatedProcessingFilter.class));
+		assertThat(configuredFilter.getValue())
+			.hasFieldOrPropertyWithValue("headerName", headerName)
+			.hasFieldOrPropertyWithValue("headerValueIdentifier", "LtpaToken2 ")
+			.hasFieldOrPropertyWithValue("cookieName", cookieName)
+			.hasFieldOrPropertyWithValue("allowExpiredToken", true)
+			.hasFieldOrPropertyWithValue("sharedKey", sharedKey)
+			.hasFieldOrPropertyWithValue("signerKey", publicKey)
+			.extracting("authFailureHandler").isNotNull()
+			;
+	}
+
+	@Test
+	void testConfigureWithAuthFaulureHandler() throws Exception
+	{
+		HttpSecurity httpSecurity = mock(HttpSecurity.class);
+		given(httpSecurity.getSharedObject(UserDetailsService.class)).will(invocation -> mock(invocation.getArgument(0)));
+		final SecretKey sharedKey = LtpaKeyUtils.decryptSharedKey(Constants.ENCRYPTED_SHARED_KEY, Constants.ENCRYPTION_PASSWORD);
+		final PublicKey publicKey = LtpaKeyUtils.decodePublicKey(Constants.ENCODED_PUBLIC_KEY);
+		final AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler(new Http403ForbiddenEntryPoint());
+		
+		new Ltpa2Configurer()
+			.sharedKey(sharedKey)
+			.signerKey(publicKey)
+			.authFailureHandler(failureHandler)
+			.configure(httpSecurity);
+		
+		ArgumentCaptor<Ltpa2Filter> configuredFilter = ArgumentCaptor.forClass(Ltpa2Filter.class);
+		verify(httpSecurity).addFilterAt(configuredFilter.capture(), eq(AbstractPreAuthenticatedProcessingFilter.class));
+		assertThat(configuredFilter.getValue())
+			.hasFieldOrPropertyWithValue("headerName", "Authorization")
+			.hasFieldOrPropertyWithValue("headerValueIdentifier", "LtpaToken2 ")
+			.hasFieldOrPropertyWithValue("cookieName", "LtpaToken2")
+			.hasFieldOrPropertyWithValue("allowExpiredToken", false)
+			.hasFieldOrPropertyWithValue("sharedKey", sharedKey)
+			.hasFieldOrPropertyWithValue("signerKey", publicKey)
+			.hasFieldOrPropertyWithValue("authFailureHandler", failureHandler)
+			;
 	}
 }

src/test/java/de/sephirothj/spring/security/ltpa2/Ltpa2FilterTest.java

@@ -20,6 +20,8 @@
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.PublicKey;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.TimeUnit;
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
@@ -293,4 +295,32 @@ void doFilterInternalShouldCause403ForUnknownUsers() throws ServletException, IO
 		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
 		assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
 	}
+
+	@Test
+	void doFilterInternalShouldCause401ForUnknownUsersWithCustomFailureHandler() throws ServletException, IOException, GeneralSecurityException, InterruptedException
+	{
+		HttpServletRequest request = MockMvcRequestBuilders.get("/").header(HttpHeaders.AUTHORIZATION, "LtpaToken2 ".concat(Constants.TEST_TOKEN)).buildRequest(new MockServletContext());
+		HttpServletResponse response = new MockHttpServletResponse();
+		UserDetailsService userDetailsService = Mockito.mock(UserDetailsService.class);
+		given(userDetailsService.loadUserByUsername(anyString())).willThrow(UsernameNotFoundException.class);
+		Ltpa2Filter uut = new Ltpa2Filter();
+		uut.setAllowExpiredToken(true);
+		uut.setUserDetailsService(userDetailsService);
+		uut.setSharedKey(LtpaKeyUtils.decryptSharedKey(Constants.ENCRYPTED_SHARED_KEY, Constants.ENCRYPTION_PASSWORD));
+		uut.setSignerKey(LtpaKeyUtils.decodePublicKey(Constants.ENCODED_PUBLIC_KEY));
+		CountDownLatch authFailureHandlerInvocations = new CountDownLatch(1);
+		uut.setAuthFailureHandler((req, res, ex) ->
+		{
+			authFailureHandlerInvocations.countDown();
+			assertThat(ex).isInstanceOf(UsernameNotFoundException.class);
+			res.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
+		});
+
+		uut.doFilter(request, response, new MockFilterChain());
+
+		verify(userDetailsService).loadUserByUsername(anyString());
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
+		authFailureHandlerInvocations.await(1, TimeUnit.SECONDS);
+		assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_UNAUTHORIZED);
+	}
 }