Change Default for (Server)AuthenticationEntryPointFailureHandler

Closes gh-9429

Author: jzheaux

docs/modules/ROOT/pages/whats-new.adoc

@@ -32,6 +32,7 @@ Instead, use `requestMatchers` or `HttpSecurity#securityMatchers`.
 * https://github.com/spring-projects/spring-security/issues/11960[gh-11960] - Default to Xor CSRF protection for xref:servlet/exploits/csrf.adoc#servlet-csrf-configure-request-handler[servlet] and xref:reactive/exploits/csrf.adoc#webflux-csrf-configure-request-handler[reactive]
 * https://github.com/spring-projects/spring-security/issues/12019[gh-12019] - Remove deprecated method `setTokenFromMultipartDataEnabled` from `CsrfWebFilter`
 * https://github.com/spring-projects/spring-security/issues/12020[gh-12020] - Remove deprecated method `tokenFromMultipartDataEnabled` from Java Configuration
+* https://github.com/spring-projects/spring-security/issues/9429[gh-9429] - `Authentication(Web)Filter` rethrows `AuthenticationServiceException`s
 
 == Observability
 

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java

@@ -27,7 +27,6 @@
 import org.springframework.security.authentication.AuthenticationDetailsSource;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
-import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.context.SecurityContext;
@@ -40,6 +39,7 @@
 import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
 import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
 import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
@@ -73,12 +73,8 @@ public class BearerTokenAuthenticationFilter extends OncePerRequestFilter {
 
 	private AuthenticationEntryPoint authenticationEntryPoint = new BearerTokenAuthenticationEntryPoint();
 
-	private AuthenticationFailureHandler authenticationFailureHandler = (request, response, exception) -> {
-		if (exception instanceof AuthenticationServiceException) {
-			throw exception;
-		}
-		this.authenticationEntryPoint.commence(request, response, exception);
-	};
+	private AuthenticationFailureHandler authenticationFailureHandler = new AuthenticationEntryPointFailureHandler(
+			(request, response, exception) -> this.authenticationEntryPoint.commence(request, response, exception));
 
 	private BearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
 

web/src/main/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandler.java

@@ -35,7 +35,7 @@
  */
 public class AuthenticationEntryPointFailureHandler implements AuthenticationFailureHandler {
 
-	private boolean rethrowAuthenticationServiceException = false;
+	private boolean rethrowAuthenticationServiceException = true;
 
 	private final AuthenticationEntryPoint authenticationEntryPoint;
 
@@ -59,7 +59,7 @@ public void onAuthenticationFailure(HttpServletRequest request, HttpServletRespo
 	}
 
 	/**
-	 * Set whether to rethrow {@link AuthenticationServiceException}s (defaults to false)
+	 * Set whether to rethrow {@link AuthenticationServiceException}s (defaults to true)
 	 * @param rethrowAuthenticationServiceException whether to rethrow
 	 * {@link AuthenticationServiceException}s
 	 * @since 5.8

web/src/main/java/org/springframework/security/web/server/authentication/ServerAuthenticationEntryPointFailureHandler.java

@@ -35,7 +35,7 @@ public class ServerAuthenticationEntryPointFailureHandler implements ServerAuthe
 
 	private final ServerAuthenticationEntryPoint authenticationEntryPoint;
 
-	private boolean rethrowAuthenticationServiceException = false;
+	private boolean rethrowAuthenticationServiceException = true;
 
 	public ServerAuthenticationEntryPointFailureHandler(ServerAuthenticationEntryPoint authenticationEntryPoint) {
 		Assert.notNull(authenticationEntryPoint, "authenticationEntryPoint cannot be null");
@@ -54,7 +54,7 @@ public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange, A
 	}
 
 	/**
-	 * Set whether to rethrow {@link AuthenticationServiceException}s (defaults to false)
+	 * Set whether to rethrow {@link AuthenticationServiceException}s (defaults to true)
 	 * @param rethrowAuthenticationServiceException whether to rethrow
 	 * {@link AuthenticationServiceException}s
 	 * @since 5.8

web/src/test/java/org/springframework/security/web/authentication/AuthenticationEntryPointFailureHandlerTests.java

@@ -30,17 +30,17 @@
 public class AuthenticationEntryPointFailureHandlerTests {
 
 	@Test
-	void onAuthenticationFailureWhenDefaultsThenAuthenticationServiceExceptionSwallowed() throws Exception {
+	void onAuthenticationFailureWhenRethrowingThenAuthenticationServiceExceptionSwallowed() throws Exception {
 		AuthenticationEntryPoint entryPoint = mock(AuthenticationEntryPoint.class);
 		AuthenticationEntryPointFailureHandler handler = new AuthenticationEntryPointFailureHandler(entryPoint);
+		handler.setRethrowAuthenticationServiceException(false);
 		handler.onAuthenticationFailure(null, null, new AuthenticationServiceException("fail"));
 	}
 
 	@Test
-	void handleWhenRethrowingThenAuthenticationServiceExceptionRethrown() {
+	void handleWhenDefaultsThenAuthenticationServiceExceptionRethrown() {
 		AuthenticationEntryPoint entryPoint = mock(AuthenticationEntryPoint.class);
 		AuthenticationEntryPointFailureHandler handler = new AuthenticationEntryPointFailureHandler(entryPoint);
-		handler.setRethrowAuthenticationServiceException(true);
 		assertThatExceptionOfType(AuthenticationServiceException.class).isThrownBy(
 				() -> handler.onAuthenticationFailure(null, null, new AuthenticationServiceException("fail")));
 	}

web/src/test/java/org/springframework/security/web/server/authentication/ServerAuthenticationEntryPointFailureHandlerTests.java

@@ -71,16 +71,16 @@ public void onAuthenticationFailureWhenInvokedThenDelegatesToEntryPoint() {
 	}
 
 	@Test
-	void onAuthenticationFailureWhenDefaultsThenAuthenticationServiceExceptionSwallowed() {
+	void onAuthenticationFailureWhenRethrownFalseThenAuthenticationServiceExceptionSwallowed() {
 		AuthenticationServiceException e = new AuthenticationServiceException("fail");
+		this.handler.setRethrowAuthenticationServiceException(false);
 		given(this.authenticationEntryPoint.commence(this.exchange, e)).willReturn(Mono.empty());
 		this.handler.onAuthenticationFailure(this.filterExchange, e).block();
 	}
 
 	@Test
-	void handleWhenRethrowingThenAuthenticationServiceExceptionRethrown() {
+	void handleWhenDefaultsThenAuthenticationServiceExceptionRethrown() {
 		AuthenticationServiceException e = new AuthenticationServiceException("fail");
-		this.handler.setRethrowAuthenticationServiceException(true);
 		assertThatExceptionOfType(AuthenticationServiceException.class)
 				.isThrownBy(() -> this.handler.onAuthenticationFailure(this.filterExchange, e).block());
 	}