From ea6a6c4a26d2060d6cbda96a74de4196422f0966 Mon Sep 17 00:00:00 2001 From: Lucian Holland Date: Wed, 15 Jan 2025 14:05:01 +0100 Subject: [PATCH] Proposed fix for missing WWW-Authenticate header Current implementation does not include the WWW-Authenticate header when returning a 401 for missing/invalid credentials when attempting to access the token endpoints. This PR would change to use the standard BasicAuthenticationEntryPoint in order to populate this header correctly. Signed-off-by: Lucian Holland Fixes-468 --- .../OAuth2AuthorizationServerConfigurer.java | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java index 73d4b224a..c4f664bc2 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java @@ -27,7 +27,6 @@ import org.springframework.context.event.GenericApplicationListenerAdapter; import org.springframework.context.event.SmartApplicationListener; import org.springframework.http.HttpMethod; -import org.springframework.http.HttpStatus; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; @@ -48,8 +47,8 @@ import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator; import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter; -import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; +import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint; import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; @@ -87,6 +86,8 @@ public final class OAuth2AuthorizationServerConfigurer private RequestMatcher endpointsMatcher; + private String realm = "oauth2/client"; + /** * Returns a new instance of {@link OAuth2AuthorizationServerConfigurer} for * configuring. @@ -277,6 +278,16 @@ public OAuth2AuthorizationServerConfigurer oidc(Customizer oidcC return this; } + /** + * Configures the default realm value to be return in the WWW-Authenticate header + * @param realm the authentication realm for this server + * @return the {@link OAuth2AuthorizationServerConfigurer} for further configuration + */ + public OAuth2AuthorizationServerConfigurer realm(String realm) { + this.realm = realm; + return this; + } + /** * Returns a {@link RequestMatcher} for the authorization server endpoints. * @return a {@link RequestMatcher} for the authorization server endpoints @@ -344,7 +355,9 @@ public void init(HttpSecurity httpSecurity) throws Exception { ExceptionHandlingConfigurer exceptionHandling = httpSecurity .getConfigurer(ExceptionHandlingConfigurer.class); if (exceptionHandling != null) { - exceptionHandling.defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), + var entryPoint = new BasicAuthenticationEntryPoint(); + entryPoint.setRealmName(this.realm); + exceptionHandling.defaultAuthenticationEntryPointFor(entryPoint, new OrRequestMatcher(getRequestMatcher(OAuth2TokenEndpointConfigurer.class), getRequestMatcher(OAuth2TokenIntrospectionEndpointConfigurer.class), getRequestMatcher(OAuth2TokenRevocationEndpointConfigurer.class),