diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java
index e347329b..b20ae7e7 100644
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java
@@ -59,8 +59,8 @@ import org.springframework.web.filter.OncePerRequestFilter;
* @since 0.0.1
* @see AuthenticationManager
* @see OAuth2ClientAuthenticationProvider
- * @see Section 2.3 Client Authentication
- * @see Section 3.2.1 Token Endpoint Client Authentication
+ * @see Section 2.3 Client Authentication
+ * @see Section 3.2.1 Token Endpoint Client Authentication
*/
public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter {
private final AuthenticationManager authenticationManager;
@@ -69,8 +69,8 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
private final AuthenticationDetailsSource authenticationDetailsSource =
new WebAuthenticationDetailsSource();
private AuthenticationConverter authenticationConverter;
- private AuthenticationSuccessHandler authenticationSuccessHandler;
- private AuthenticationFailureHandler authenticationFailureHandler;
+ private AuthenticationSuccessHandler authenticationSuccessHandler = this::onAuthenticationSuccess;
+ private AuthenticationFailureHandler authenticationFailureHandler = this::onAuthenticationFailure;
/**
* Constructs an {@code OAuth2ClientAuthenticationFilter} using the provided parameters.
@@ -89,37 +89,39 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
new ClientSecretBasicAuthenticationConverter(),
new ClientSecretPostAuthenticationConverter(),
new PublicClientAuthenticationConverter()));
- this.authenticationSuccessHandler = this::onAuthenticationSuccess;
- this.authenticationFailureHandler = this::onAuthenticationFailure;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
- if (this.requestMatcher.matches(request)) {
- try {
- Authentication authenticationRequest = this.authenticationConverter.convert(request);
- if (authenticationRequest instanceof AbstractAuthenticationToken) {
- ((AbstractAuthenticationToken) authenticationRequest).setDetails(
- this.authenticationDetailsSource.buildDetails(request));
- }
- if (authenticationRequest != null) {
- Authentication authenticationResult = this.authenticationManager.authenticate(authenticationRequest);
- this.authenticationSuccessHandler.onAuthenticationSuccess(request, response, authenticationResult);
- }
- } catch (OAuth2AuthenticationException failed) {
- this.authenticationFailureHandler.onAuthenticationFailure(request, response, failed);
- return;
+ if (!this.requestMatcher.matches(request)) {
+ filterChain.doFilter(request, response);
+ return;
+ }
+
+ try {
+ Authentication authenticationRequest = this.authenticationConverter.convert(request);
+ if (authenticationRequest instanceof AbstractAuthenticationToken) {
+ ((AbstractAuthenticationToken) authenticationRequest).setDetails(
+ this.authenticationDetailsSource.buildDetails(request));
+ }
+ if (authenticationRequest != null) {
+ Authentication authenticationResult = this.authenticationManager.authenticate(authenticationRequest);
+ this.authenticationSuccessHandler.onAuthenticationSuccess(request, response, authenticationResult);
}
+ filterChain.doFilter(request, response);
+
+ } catch (OAuth2AuthenticationException ex) {
+ this.authenticationFailureHandler.onAuthenticationFailure(request, response, ex);
}
- filterChain.doFilter(request, response);
}
/**
- * Sets the {@link AuthenticationConverter} used for converting a {@link HttpServletRequest} to an {@link OAuth2ClientAuthenticationToken}.
+ * Sets the {@link AuthenticationConverter} used when attempting to extract client credentials from {@link HttpServletRequest}
+ * to an instance of {@link OAuth2ClientAuthenticationToken} used for authenticating the client.
*
- * @param authenticationConverter used for converting a {@link HttpServletRequest} to an {@link OAuth2ClientAuthenticationToken}
+ * @param authenticationConverter the {@link AuthenticationConverter} used when attempting to extract client credentials from {@link HttpServletRequest}
*/
public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
@@ -127,9 +129,10 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
}
/**
- * Sets the {@link AuthenticationSuccessHandler} used for handling successful authentications.
+ * Sets the {@link AuthenticationSuccessHandler} used for handling a successful client authentication
+ * and associating the {@link OAuth2ClientAuthenticationToken} to the {@link SecurityContext}.
*
- * @param authenticationSuccessHandler the {@link AuthenticationSuccessHandler} used for handling successful authentications
+ * @param authenticationSuccessHandler the {@link AuthenticationSuccessHandler} used for handling a successful client authentication
*/
public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
@@ -137,9 +140,10 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
}
/**
- * Sets the {@link AuthenticationFailureHandler} used for handling failed authentications.
+ * Sets the {@link AuthenticationFailureHandler} used for handling a failed client authentication
+ * and returning the {@link OAuth2Error Error Response}.
*
- * @param authenticationFailureHandler the {@link AuthenticationFailureHandler} used for handling failed authentications
+ * @param authenticationFailureHandler the {@link AuthenticationFailureHandler} used for handling a failed client authentication
*/
public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
@@ -149,13 +153,13 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
private void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
Authentication authentication) {
- SecurityContext context = SecurityContextHolder.createEmptyContext();
- context.setAuthentication(authentication);
- SecurityContextHolder.setContext(context);
+ SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
+ securityContext.setAuthentication(authentication);
+ SecurityContextHolder.setContext(securityContext);
}
private void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
- AuthenticationException failed) throws IOException {
+ AuthenticationException exception) throws IOException {
SecurityContextHolder.clearContext();
@@ -167,7 +171,7 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
// include the "WWW-Authenticate" response header field
// matching the authentication scheme used by the client.
- OAuth2Error error = ((OAuth2AuthenticationException) failed).getError();
+ OAuth2Error error = ((OAuth2AuthenticationException) exception).getError();
ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
if (OAuth2ErrorCodes.INVALID_CLIENT.equals(error.getErrorCode())) {
httpResponse.setStatusCode(HttpStatus.UNAUTHORIZED);
@@ -176,4 +180,5 @@ public final class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter
}
this.errorHttpResponseConverter.write(error, null, httpResponse);
}
+
}