Access Deined Handler not triggering

[davidselvaraj]

Hi,
I have setup a Resource owner password flow and when I give an incorrect password, my authentication manager throws a BadCredentialException. However, in the ResourceOwnerPasswordTokenGranter, the exception is caught and converted into an InvalidGrantException.

Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
try {
userAuth = authenticationManager.authenticate(userAuth);
}
catch (BadCredentialsException e) {
// If the username/password are wrong the spec says we should send 400/bad grant
throw new InvalidGrantException(e.getMessage());
}

My client gets a json response with error code and error message, but the access denied handler is not invoked.
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />

<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provide r.error.OAuth2AccessDeniedHandler" />

Can you please let me know if that is how the framework is designed? I need to invoke another service that will update the failed counts and I was planning to added that in the access denied handler.

Thanks.

[Dave Syer]

The comment seems to suggest that it is intentional. In any case access denied handlers would not be triggered for authentication errors, in a normal Spring Security filter chain. This one has been explicitly modified to meet the spec and send a 400 response. The InvalidGrantException will be handled by the error handler in the TokenEndpoint.