Package com.broadleafcommerce.auth.user.session

Class OAuth2AuthenticationEntryPoint

java.lang.Object
org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint
com.broadleafcommerce.auth.user.session.OAuth2AuthenticationEntryPoint
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, org.springframework.security.web.AuthenticationEntryPoint
public class OAuth2AuthenticationEntryPoint extends org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint
Provides a behavior consistent with http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest. Specifically, inclusion of the prompt=none parameter. This implementation will detect the inclusion of the prompt request param, and if detected to be none, will return an error response consistent with OIDC, rather than redirect to the login page. This allows for silent authentication flows that are suitable for SPA use cases.
Author:
Jeff Fischer

  • Constructor Summary

    Constructors
    Constructor
    Description
    OAuth2AuthenticationEntryPoint(String loginFormUrl, org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository)
     
    OAuth2AuthenticationEntryPoint(String loginFormUrl, org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.web.RedirectStrategy redirectStrategy)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected String
    addParametersToRedirect(String requestedRedirectUri, org.springframework.util.MultiValueMap<String,String> additionalParameters)
    Add the given map of parameters to the given redirect URI.
    protected void
    addSilentAuthErrorParameters(org.springframework.util.MultiValueMap<String,String> additionalParameters, org.springframework.security.core.AuthenticationException authException, jakarta.servlet.http.HttpServletRequest request)
    Gather parameters to add to the failed silent-auth redirect.
    protected String
    buildSilentAuthorizationRedirect(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, String requestedRedirect, org.springframework.security.core.AuthenticationException authException)
    Add additional parameters to the failed silent-auth redirect.
    protected void
    clearSavedRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    In normal flows, the ExceptionTranslationFilter will have already called RequestCache.saveRequest(HttpServletRequest, HttpServletResponse) to save the current request before calling commence(HttpServletRequest, HttpServletResponse, AuthenticationException).
    void
    commence(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException authException)
    Determine if a request represents a silent authentication authorization request by checking the request for prompt=none, redirect URI, and valid client.
    protected String
    determineUrlToUseForThisRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException exception)
    Add the Client ID as a parameter on the redirect for non-silent-auth requests that are being redirected to the login page.
    protected org.springframework.security.web.RedirectStrategy
    getRedirectStrategy()
     
    protected org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository
    getRegisteredClientRepository()
     
    protected org.springframework.security.web.savedrequest.RequestCache
    getRequestCache()
    This should be consistent with whatever RequestCache is used in the rest of the security filter chain.
    void
    setRequestCache(org.springframework.security.web.savedrequest.RequestCache requestCache)
    This should be consistent with whatever RequestCache is used in the rest of the security filter chain.

    Methods inherited from class org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint

    afterPropertiesSet, buildHttpsRedirectUrlForRequest, buildRedirectUrlToLoginPage, getLoginFormUrl, getPortMapper, getPortResolver, isForceHttps, isUseForward, setForceHttps, setPortMapper, setPortResolver, setUseForward

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • OAuth2AuthenticationEntryPoint

      public OAuth2AuthenticationEntryPoint(String loginFormUrl, org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository)

    • OAuth2AuthenticationEntryPoint

      public OAuth2AuthenticationEntryPoint(String loginFormUrl, org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.web.RedirectStrategy redirectStrategy)

  • Method Details

    • commence

      public void commence(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException authException) throws IOException, jakarta.servlet.ServletException
      Determine if a request represents a silent authentication authorization request by checking the request for prompt=none, redirect URI, and valid client. If this is a silent auth request, add error parameters to the request and redirect to the given redirect URI (instead of the login page).
      Specified by:
      commence in interface org.springframework.security.web.AuthenticationEntryPoint
      Overrides:
      commence in class org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint
      Parameters:
      request - that resulted in an AuthenticationException.
      response - to be redirected so that the user agent can begin authentication
      authException - The original authentication exception
      Throws:
      IOException - If there are errors setting the redirect.
      jakarta.servlet.ServletException - If there are errors setting the redirect.

    • clearSavedRequest

      protected void clearSavedRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)

      In normal flows, the ExceptionTranslationFilter will have already called RequestCache.saveRequest(HttpServletRequest, HttpServletResponse) to save the current request before calling commence(HttpServletRequest, HttpServletResponse, AuthenticationException).

      This is typically sensible - in most cases, the redirect would just go to '/login'. In such a flow, the expectation would be that the current request was saved in the RequestCache so after a successful login, SavedRequestAwareAuthenticationSuccessHandler kicks in and the user is redirected back to this original request. Furthermore, on that redirect back to the current location, RequestCacheAwareFilter would kick in to clear out the request cache.

      However, in the case of a 'silent' redirect, we aren't going back to '/login' and are instead going somewhere else. This means there isn't anything that will immediately be consuming the cached request and subsequently clearing it out. It will just linger around in an 'orphaned' state.

      This method should be called to remove the request from the RequestCache if in a silent redirect flow. This way, there isn't an 'orphaned' saved request in the cache.

      Parameters:
      request - the current request
      response - the current response

    • determineUrlToUseForThisRequest

      protected String determineUrlToUseForThisRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException exception)
      Add the Client ID as a parameter on the redirect for non-silent-auth requests that are being redirected to the login page.
      Overrides:
      determineUrlToUseForThisRequest in class org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint
      Parameters:
      request - The request that failed authentication
      response - The response that is being redirected to the login page.
      exception - The original exception that was thrown during authentication.
      Returns:
      The login page url with the Client ID applied.

    • buildSilentAuthorizationRedirect

      protected String buildSilentAuthorizationRedirect(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, String requestedRedirect, org.springframework.security.core.AuthenticationException authException)
      Add additional parameters to the failed silent-auth redirect.
      Parameters:
      request - The silent-auth request that failed authentication.
      response - The response that is being redirected back to the silent-auth URI.
      requestedRedirect - The validated redirect parameter from the failed request.
      authException - The original exception that was thrown during authentication.
      Returns:
      The redirect URI with additional parameters.

    • addSilentAuthErrorParameters

      protected void addSilentAuthErrorParameters(org.springframework.util.MultiValueMap<String,String> additionalParameters, org.springframework.security.core.AuthenticationException authException, jakarta.servlet.http.HttpServletRequest request)
      Gather parameters to add to the failed silent-auth redirect.
      Parameters:
      additionalParameters - Map to hold parameters and values to be added to the redirect.
      authException - The original exception that was thrown during authentication.
      request - The silent-auth request that failed authentication.

    • addParametersToRedirect

      protected String addParametersToRedirect(String requestedRedirectUri, org.springframework.util.MultiValueMap<String,String> additionalParameters)
      Add the given map of parameters to the given redirect URI.
      Parameters:
      requestedRedirectUri - The URI to add parameters to.
      additionalParameters - The parameters to add to the redirect URI.
      Returns:
      An encoded redirect URI with the given map as request parameters.

    • getRegisteredClientRepository

      protected org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository getRegisteredClientRepository()

    • getRedirectStrategy

      protected org.springframework.security.web.RedirectStrategy getRedirectStrategy()

    • getRequestCache

      protected org.springframework.security.web.savedrequest.RequestCache getRequestCache()
      This should be consistent with whatever RequestCache is used in the rest of the security filter chain.

    • setRequestCache

      @Autowired public void setRequestCache(org.springframework.security.web.savedrequest.RequestCache requestCache)
      This should be consistent with whatever RequestCache is used in the rest of the security filter chain.