Nov 24th, 2011, 12:23 AM
Exception handling with custom authentication manager
I have implemented my own custom authentication manager. From the client application (Android app) I would like to retrieve a token for a userby using Resource owner password credentials authorization type. In case where wrong credentials are given I throw
UsernameNotFoundException exception in my custom UserDetailsService, but in my client app I do not get a proper error response. When I debugged the code I found OAuth2ExceptionHandlerFilter returns a RuntimeException as a result of DefaultProviderExceptionHandler
returning RuntimeException and due to this a proper response is not formed. Can you suggest me what I can do in this case?
Nov 24th, 2011, 02:36 AM
The normal Spring Security ExceptionHandlerFilter should catch that exception and handle it in whatever way you specified in your <http/> configuration. If it doesn't, then it's possible your OAuth filter is in the wrong place in the filter chain. Look at the tonr sample to see how it is configured.
Last edited by Dave Syer; Nov 24th, 2011 at 05:04 AM.
Nov 24th, 2011, 08:54 PM
I have not specified anything in the security configuration file in the client side.I have directly done a POST request for retrieving the token as done in one of your Test classes. On the Service provider (sparklr) side I do get that exception but the error response is not passed properly to the client side. Instead it gives a 302 Temporarily Moved response status.
Nov 25th, 2011, 03:02 AM
I'm confused about the client. You aren't using Spring Security OAuth2RestTemplate I guess? But that's not relevant.
On the provider the 302 is generated by the normal Spring Security ExceptionHandlerFilter - that is its default behaviour, so if you want something else you need to look at the standard Spring Security features I think, and it's nothing really to do with OAuth,
Nov 26th, 2011, 08:25 AM
Take a look to your server application, just in case it is managing the error codes that Spring security throws in its normal use.
For instance, I tried to use Spring Security for managing the security into an existing application with Basic Authentication (plus a custom userDetailsService) and it didn't work.
The problem was that the web.xml had entries to manage some HTTP error codes, and 401 was among them.
That is the necessary code to commence the Authentication, so it didn't work because the application was handling some of the Security concerns and hence, the security steps didn't seem to work.
I hope it helps you.