Make Public Missing Authority AccessDeniedHandler

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExceptionHandlingConfigurer.java

@@ -16,40 +16,26 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
-import java.io.IOException;
-import java.util.Collection;
 import java.util.LinkedHashMap;
-import java.util.List;
 import java.util.Map;
+import java.util.function.Consumer;
 
-import jakarta.servlet.ServletException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import org.jspecify.annotations.Nullable;
 
-import org.springframework.security.access.AccessDeniedException;
-import org.springframework.security.authentication.InsufficientAuthenticationException;
-import org.springframework.security.authorization.AuthorityAuthorizationDecision;
-import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.access.DelegatingMissingAuthorityAccessDeniedHandler;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.access.RequestMatcherDelegatingAccessDeniedHandler;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
-import org.springframework.security.web.savedrequest.NullRequestCache;
 import org.springframework.security.web.savedrequest.RequestCache;
-import org.springframework.security.web.util.ThrowableAnalyzer;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.Assert;
 
 /**
  * Adds exception handling for Spring Security related exceptions to an application. All
@@ -96,6 +82,9 @@ public final class ExceptionHandlingConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private Map<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entryPoints = new LinkedHashMap<>();
 
+	private DelegatingMissingAuthorityAccessDeniedHandler.Builder missingAuthoritiesHandlerBuilder =
+			DelegatingMissingAuthorityAccessDeniedHandler.builder();
+
 	/**
 	 * Creates a new instance
 	 * @see HttpSecurity#exceptionHandling(Customizer)
@@ -117,6 +106,11 @@ public ExceptionHandlingConfigurer<H> accessDeniedPage(String accessDeniedUrl) {
 		return accessDeniedHandler(accessDeniedHandler);
 	}
 
+	public ExceptionHandlingConfigurer<H> missingAuthoritiesHandler(Consumer<DelegatingMissingAuthorityAccessDeniedHandler.Builder> consumer) {
+		consumer.accept(this.missingAuthoritiesHandlerBuilder);
+		return this;
+	}
+
 	/**
 	 * Specifies the {@link AccessDeniedHandler} to be used
 	 * @param accessDeniedHandler the {@link AccessDeniedHandler} to be used
@@ -189,26 +183,6 @@ public ExceptionHandlingConfigurer<H> defaultAuthenticationEntryPointFor(Authent
 		return this;
 	}
 
-	public ExceptionHandlingConfigurer<H> defaultAuthenticationEntryPointFor(AuthenticationEntryPoint entryPoint,
-			RequestMatcher preferredMatcher, String authority) {
-		this.defaultEntryPointMappings.put(preferredMatcher, entryPoint);
-		LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> byMatcher = this.entryPoints.get(authority);
-		if (byMatcher == null) {
-			byMatcher = new LinkedHashMap<>();
-		}
-		byMatcher.put(preferredMatcher, entryPoint);
-		this.entryPoints.put(authority, byMatcher);
-		return this;
-	}
-
-	public ExceptionHandlingConfigurer<H> defaultAuthenticationEntryPointFor(AuthenticationEntryPoint entryPoint,
-			String authority) {
-		LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> byMatcher = new LinkedHashMap<>();
-		byMatcher.put(AnyRequestMatcher.INSTANCE, entryPoint);
-		this.entryPoints.put(authority, byMatcher);
-		return this;
-	}
-
 	/**
 	 * Gets any explicitly configured {@link AuthenticationEntryPoint}
 	 * @return
@@ -272,19 +246,10 @@ private AccessDeniedHandler createDefaultDeniedHandler(H http) {
 		if (this.entryPoints.isEmpty()) {
 			return defaults;
 		}
-		Map<String, AccessDeniedHandler> deniedHandlers = new LinkedHashMap<>();
-		for (Map.Entry<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entry : this.entryPoints
-			.entrySet()) {
-			AuthenticationEntryPoint entryPoint = entryPointFrom(entry.getValue());
-			AuthenticationEntryPointAccessDeniedHandlerAdapter deniedHandler = new AuthenticationEntryPointAccessDeniedHandlerAdapter(
-					entryPoint);
-			RequestCache requestCache = http.getSharedObject(RequestCache.class);
-			if (requestCache != null) {
-				deniedHandler.setRequestCache(requestCache);
-			}
-			deniedHandlers.put(entry.getKey(), deniedHandler);
-		}
-		return new AuthenticationFactorDelegatingAccessDeniedHandler(deniedHandlers, defaults);
+		DelegatingMissingAuthorityAccessDeniedHandler deniedHandler = this.missingAuthoritiesHandlerBuilder.build();
+		deniedHandler.setRequestCache(getRequestCache(http));
+		deniedHandler.setDefaultAccessDeniedHandler(defaults);
+		return deniedHandler;
 	}
 
 	private AccessDeniedHandler createDefaultAccessDeniedHandler(H http) {
@@ -299,29 +264,10 @@ private AccessDeniedHandler createDefaultAccessDeniedHandler(H http) {
 	}
 
 	private AuthenticationEntryPoint createDefaultEntryPoint(H http) {
-		AuthenticationEntryPoint defaults = entryPointFrom(this.defaultEntryPointMappings);
-		if (this.entryPoints.isEmpty()) {
-			return defaults;
-		}
-		Map<String, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>();
-		for (Map.Entry<String, LinkedHashMap<RequestMatcher, AuthenticationEntryPoint>> entry : this.entryPoints
-			.entrySet()) {
-			entryPoints.put(entry.getKey(), entryPointFrom(entry.getValue()));
-		}
-		return new AuthenticationFactorDelegatingAuthenticationEntryPoint(entryPoints, defaults);
-	}
-
-	private AuthenticationEntryPoint entryPointFrom(
-			LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints) {
-		if (entryPoints.isEmpty()) {
+		if (this.defaultEntryPoint == null) {
 			return new Http403ForbiddenEntryPoint();
 		}
-		if (entryPoints.size() == 1) {
-			return entryPoints.values().iterator().next();
-		}
-		DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPoints);
-		entryPoint.setDefaultEntryPoint(entryPoints.values().iterator().next());
-		return entryPoint;
+		return this.defaultEntryPoint.build();
 	}
 
 	/**
@@ -340,128 +286,4 @@ private RequestCache getRequestCache(H http) {
 		return new HttpSessionRequestCache();
 	}
 
-	private static final class AuthenticationFactorDelegatingAuthenticationEntryPoint
-			implements AuthenticationEntryPoint {
-
-		private final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer();
-
-		private final Map<String, AuthenticationEntryPoint> entryPoints;
-
-		private final AuthenticationEntryPoint defaults;
-
-		private AuthenticationFactorDelegatingAuthenticationEntryPoint(
-				Map<String, AuthenticationEntryPoint> entryPoints, AuthenticationEntryPoint defaults) {
-			this.entryPoints = new LinkedHashMap<>(entryPoints);
-			this.defaults = defaults;
-		}
-
-		@Override
-		public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException ex)
-				throws IOException, ServletException {
-			Collection<GrantedAuthority> authorization = authorizationRequest(ex);
-			entryPoint(authorization).commence(request, response, ex);
-		}
-
-		private AuthenticationEntryPoint entryPoint(Collection<GrantedAuthority> authorities) {
-			if (authorities == null) {
-				return this.defaults;
-			}
-			for (GrantedAuthority needed : authorities) {
-				AuthenticationEntryPoint entryPoint = this.entryPoints.get(needed.getAuthority());
-				if (entryPoint != null) {
-					return entryPoint;
-				}
-			}
-			return this.defaults;
-		}
-
-		private Collection<GrantedAuthority> authorizationRequest(Exception ex) {
-			Throwable[] chain = this.throwableAnalyzer.determineCauseChain(ex);
-			AuthorizationDeniedException denied = (AuthorizationDeniedException) this.throwableAnalyzer
-				.getFirstThrowableOfType(AuthorizationDeniedException.class, chain);
-			if (denied == null) {
-				return List.of();
-			}
-			if (!(denied.getAuthorizationResult() instanceof AuthorityAuthorizationDecision authorization)) {
-				return List.of();
-			}
-			return authorization.getAuthorities();
-		}
-
-	}
-
-	private static final class AuthenticationEntryPointAccessDeniedHandlerAdapter implements AccessDeniedHandler {
-
-		private final AuthenticationEntryPoint entryPoint;
-
-		private RequestCache requestCache = new NullRequestCache();
-
-		private AuthenticationEntryPointAccessDeniedHandlerAdapter(AuthenticationEntryPoint entryPoint) {
-			this.entryPoint = entryPoint;
-		}
-
-		void setRequestCache(RequestCache requestCache) {
-			Assert.notNull(requestCache, "requestCache cannot be null");
-			this.requestCache = requestCache;
-		}
-
-		@Override
-		public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException denied)
-				throws IOException, ServletException {
-			AuthenticationException ex = new InsufficientAuthenticationException("access denied", denied);
-			this.requestCache.saveRequest(request, response);
-			this.entryPoint.commence(request, response, ex);
-		}
-
-	}
-
-	private static final class AuthenticationFactorDelegatingAccessDeniedHandler implements AccessDeniedHandler {
-
-		private final ThrowableAnalyzer throwableAnalyzer = new ThrowableAnalyzer();
-
-		private final Map<String, AccessDeniedHandler> deniedHandlers;
-
-		private final AccessDeniedHandler defaults;
-
-		private AuthenticationFactorDelegatingAccessDeniedHandler(Map<String, AccessDeniedHandler> deniedHandlers,
-				AccessDeniedHandler defaults) {
-			this.deniedHandlers = new LinkedHashMap<>(deniedHandlers);
-			this.defaults = defaults;
-		}
-
-		@Override
-		public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException ex)
-				throws IOException, ServletException {
-			Collection<GrantedAuthority> authorization = authorizationRequest(ex);
-			deniedHandler(authorization).handle(request, response, ex);
-		}
-
-		private AccessDeniedHandler deniedHandler(Collection<GrantedAuthority> authorities) {
-			if (authorities == null) {
-				return this.defaults;
-			}
-			for (GrantedAuthority needed : authorities) {
-				AccessDeniedHandler deniedHandler = this.deniedHandlers.get(needed.getAuthority());
-				if (deniedHandler != null) {
-					return deniedHandler;
-				}
-			}
-			return this.defaults;
-		}
-
-		private Collection<GrantedAuthority> authorizationRequest(Exception ex) {
-			Throwable[] chain = this.throwableAnalyzer.determineCauseChain(ex);
-			AuthorizationDeniedException denied = (AuthorizationDeniedException) this.throwableAnalyzer
-				.getFirstThrowableOfType(AuthorizationDeniedException.class, chain);
-			if (denied == null) {
-				return List.of();
-			}
-			if (!(denied.getAuthorizationResult() instanceof AuthorityAuthorizationDecision authorization)) {
-				return List.of();
-			}
-			return authorization.getAuthorities();
-		}
-
-	}
-
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java

@@ -233,7 +233,11 @@ public void init(H http) throws Exception {
 		initDefaultLoginFilter(http);
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.defaultAuthenticationEntryPointFor(getAuthenticationEntryPoint(), "FACTOR_PASSWORD");
+			exceptions.missingAuthoritiesHandler((commence) -> commence
+					.authorities("FACTOR_PASSWORD")
+					.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
+					.commence(getAuthenticationEntryPoint())
+			);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java

@@ -192,8 +192,13 @@ private void registerDefaultEntryPoint(B http, RequestMatcher preferredMatcher)
 		if (exceptionHandling == null) {
 			return;
 		}
-		exceptionHandling.defaultAuthenticationEntryPointFor(postProcess(this.authenticationEntryPoint),
-				preferredMatcher);
+		AuthenticationEntryPoint entryPoint = postProcess(this.authenticationEntryPoint);
+		exceptionHandling.defaultAuthenticationEntryPointFor(entryPoint, preferredMatcher);
+		exceptionHandling.missingAuthoritiesHandler((handler) -> handler
+				.authorities("FACTOR_PASSWORD")
+				.whenRequestMatches(preferredMatcher)
+				.commence(entryPoint)
+		);
 	}
 
 	private void registerDefaultLogoutSuccessHandler(B http, RequestMatcher preferredMatcher) {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java

@@ -155,8 +155,10 @@ public WebAuthnConfigurer<H> creationOptionsRepository(
 	public void init(H http) throws Exception {
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.defaultAuthenticationEntryPointFor(new LoginUrlAuthenticationEntryPoint("/login"),
-					"FACTOR_WEBAUTHN");
+			exceptions.missingAuthoritiesHandler((handler) -> handler
+					.authorities("FACTOR_WEBAUTHN")
+					.commence(new LoginUrlAuthenticationEntryPoint("/login"))
+			);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java

@@ -16,22 +16,16 @@
 
 package org.springframework.security.config.annotation.web.configurers;
 
-import java.util.List;
-
 import jakarta.servlet.http.HttpServletRequest;
-import org.jspecify.annotations.Nullable;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -44,7 +38,6 @@
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 
 /**
  * Adds X509 based pre authentication to an application. Since validating the certificate
@@ -190,8 +183,10 @@ public void init(H http) {
 			.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
-			exceptions.defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), AnyRequestMatcher.INSTANCE,
-					"FACTOR_X509");
+			exceptions.missingAuthoritiesHandler((handler) -> handler
+					.authorities("FACTOR_X509")
+					.commence(new Http403ForbiddenEntryPoint())
+			);
 		}
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -373,10 +373,6 @@ public void init(B http) throws Exception {
 			http.authenticationProvider(new OidcAuthenticationRequestChecker());
 		}
 		this.initDefaultLoginFilter(http);
-		ExceptionHandlingConfigurer<B> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
-		if (exceptions != null) {
-			exceptions.defaultAuthenticationEntryPointFor(getAuthenticationEntryPoint(), "FACTOR_AUTHORIZATION_CODE");
-		}
 	}
 
 	@Override
@@ -561,11 +557,20 @@ private AuthenticationEntryPoint getLoginEntryPoint(B http, String providerLogin
 		RequestMatcher loginUrlMatcher = new AndRequestMatcher(notXRequestedWith,
 				new NegatedRequestMatcher(defaultLoginPageMatcher), formLoginNotEnabled);
 		// @formatter:off
-		return DelegatingAuthenticationEntryPoint.builder()
+		AuthenticationEntryPoint loginEntryPoint = DelegatingAuthenticationEntryPoint.builder()
 			.addEntryPointFor(loginUrlEntryPoint, loginUrlMatcher)
 			.defaultEntryPoint(getAuthenticationEntryPoint())
 			.build();
 		// @formatter:on
+		ExceptionHandlingConfigurer<B> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptions != null) {
+			exceptions.missingAuthoritiesHandler((handler) -> handler
+					.authorities("FACTOR_AUTHORIZATION_CODE")
+					.whenRequestMatches(getAuthenticationEntryPointMatcher(http))
+					.commence(loginEntryPoint)
+			);
+		}
+		return loginEntryPoint;
 	}
 
 	private RequestMatcher getFormLoginNotEnabledRequestMatcher(B http) {