12

We have a REST server (resource + authorization) based on Oauth2 by spring-security + spring web + jersey for our REST resources. Most of this is working out nicely, however when hitting /oauth/token in a username-password flow with bad credentials we don't just get a 400 (as would be correct by the spec) but an entire stacktrace as JSON in the response. I've searched and debugged and fumbled around but couldn't quite locate the culprit. Could this be a spring-security setting? or spring-web? or the servlet that mapps the resources using jersey?

Example response (shortended):

$ curl -X POST -v --data "grant_type=password&username=admin&password=wrong_password&client_id=my_client" http://localhost:9090/oauth/token
* ...
* Connected to localhost (::1) port 9090 (#0)
* ...
> POST /oauth/token HTTP/1.1
> ...
> Accept: */*
> ...
> Content-Type: application/x-www-form-urlencoded
>
* ...
< HTTP/1.1 400 Bad Request
< ...
< Content-Type: application/json;charset=UTF-8
< ...
<
* ...
curl: (56) Recv failure: Connection reset by peer
{
    "cause": null,
    "stackTrace": [{
        "methodName": "getOAuth2Authentication",
        "fileName": "ResourceOwnerPasswordTokenGranter.java",
        "lineNumber": 62,
        "className": "org.springframework.security.oauth2.provider.passwo
    rd.ResourceOwnerPasswordTokenGranter",
        "nativeMethod": false
    },
    .... {"className": "java.lang.Thread",
    "nativeMethod": false
}],
"additionalInformation": null,
"oauth2ErrorCode": "invalid_grant",
"httpErrorCode": 400,
"summary": "error=\"invalid_grant\", error_description=\"Bad credentials\"","message":"Badcredentials","localizedMessage":"Badcredentials"}

Any ideas? Please let me know if you need more infos (web.xml/security.xml/application.xml/servlet.xml)

Thanks!

EDIT: Using client credentials flow with bad credentials it will give me a 401 and no stacktrace. It's just the BadCredentials / InvalidGrant exception thrown when username/password do not match that will result in a stacktrace.

EDIT - Some snippets from our configuration

web.xml

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/application-context.xml</param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

<servlet>
    <servlet-name>jersey-serlvet</servlet-name>
    <servlet-class>
        com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>

    <init-param>
        <param-name>com.sun.jersey.config.property.packages</param-name>
        <param-value>our.rest.package</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>jersey-serlvet</servlet-name>
    <url-pattern>/rest/*</url-pattern>
</servlet-mapping>

<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        /WEB-INF/servlet-context.xml            
        </param-value>
    </init-param>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.appServlet</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The servlet-context.xml just contains freemarker stuff and should not matter The jersey-servlet should not matter either, since it only mapps /rest/** resources and the requested resource is /oauth/token. Which leaves only the spring-security setup:

    authentication-manager-ref="clientAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security">

    <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <anonymous enabled="false" />
    <http-basic entry-point-ref="clientAuthenticationEntryPoint" />
    <!-- include this only if you need to authenticate clients via request 
        parameters -->
    <custom-filter ref="clientCredentialsTokenEndpointFilter"
        after="BASIC_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
</http>

<http pattern="/rest/**" create-session="stateless"
    <!-- ... -->
</http>

<http disable-url-rewriting="true"
    xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/oauth/**" access="ROLE_USER" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <form-login authentication-failure-url="/login.jsp?authentication_error=true"
        default-target-url="/index.jsp" login-page="/login.jsp"
        login-processing-url="/login.do" />
    <logout logout-success-url="/index.jsp" logout-url="/logout.do" />
    <anonymous />
</http>

<oauth:resource-server id="resourceServerFilter"
    resource-id="engine" token-services-ref="tokenServices" />

<oauth:authorization-server
    client-details-service-ref="clientDetails" token-services-ref="tokenServices">
    <oauth:client-credentials />
    <oauth:password />
</oauth:authorization-server>

<oauth:client-details-service id="clientDetails">
    <!-- several clients for client credentials flow... -->
    <oauth:client client-id="username-password-client"
        authorized-grant-types="password" authorities=""
        access-token-validity="3600" />
</oauth:client-details-service>

<authentication-manager id="clientAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security">
    <authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>

<authentication-manager alias="theAuthenticationManager"
    xmlns="http://www.springframework.org/schema/security">
            <!-- authenticationManager is the bean name for our custom implementation 
                 of the UserDetailsService -->
    <authentication-provider user-service-ref="authenticationManager">
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>

<bean id="encoder"      class="org.springframework.security.crypto.password.StandardPasswordEncoder">
</bean>

    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="ourRealm" />
</bean>

<bean id="clientAuthenticationEntryPoint"
    class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    <property name="realmName" value="ourRealm/client" />
    <property name="typeName" value="Basic" />
</bean>

<bean id="oauthAccessDeniedHandler"     class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>

<sec:global-method-security
    secured-annotations="enabled" pre-post-annotations="enabled">
    <sec:expression-handler ref="expressionHandler" />
</sec:global-method-security>


<bean id="expressionHandler"
    class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
            <!-- our custom perission evaluator -->
    <property name="permissionEvaluator" ref="permissionEvaluatorJpa" />
</bean>

<bean id="clientDetailsUserService"     class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    <constructor-arg ref="clientDetails" />
</bean>

<bean id="clientCredentialsTokenEndpointFilter"
    class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <property name="authenticationManager" ref="clientAuthenticationManager" />
</bean>

<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
    xmlns="http://www.springframework.org/schema/beans">
    <constructor-arg>
        <list>
            <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
            <bean class="org.springframework.security.access.vote.RoleVoter" />
            <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
            <bean
                class="org.springframework.security.web.access.expression.WebExpressionVoter" />

        </list>
    </constructor-arg>
</bean>

<bean id="tokenStore"
    class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
    <constructor-arg ref="ourDataSource" />
</bean>

<bean id="tokenServices"
    class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
    <property name="tokenStore" ref="tokenStore" />
    <property name="supportRefreshToken" value="true" />
    <property name="clientDetailsService" ref="clientDetails" />
</bean>

<bean id="requestFactory"       class="org.springframework.security.oauth2.provider.DefaultAuthorizationRequestFactory">
    <constructor-arg name="clientDetailsService" ref="clientDetails" />
</bean>

<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />

Well, to me there seems to be no obvious place to configure this here.

The stacktrace suggest, that there is an unhandled InvalidGrantException thrown by the ResourceOwnerPasswordTokenGranter. So I've tried adding filters to the filterchain above the spring-security filter in my web.xml, catching all exceptions and handling them. Won't work however, as the spring-security filter seems to handle the InvalidGrantException on its own, meaning no exception bubbles up to my surrounding filter.

The TokenEndpoint (@RequestMapping(value = "/oauth/token")) calls upon the ResourceOwnerPasswordTokenGranter to authenticate username/password:

@FrameworkEndpoint
@RequestMapping(value = "/oauth/token")
public class TokenEndpoint extends AbstractEndpoint {
    @RequestMapping
    public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal,
            @RequestParam("grant_type") String grantType, @RequestParam Map<String, String> parameters) {
        // ...
        // undhandled:
        OAuth2AccessToken token = getTokenGranter().grant(grantType, authorizationRequest);
        // ...
        return getResponse(token);
    }

There the correct exception is raised:

public class ResourceOwnerPasswordTokenGranter extends AbstractTokenGranter {   

    @Override
    protected OAuth2Authentication getOAuth2Authentication(AuthorizationRequest clientToken) {
        // ...
        try {
            userAuth = authenticationManager.authenticate(userAuth);
        }
        catch (BadCredentialsException e) {
            // If the username/password are wrong the spec says we should send 400/bad grant
            throw new InvalidGrantException(e.getMessage());
        }
    }

}

but never handled not even when it hits back at the endpoint. So then the filterchain does the exception handling and adds the stacktrace. Instead the endpoint should return a clean 400 without the stacktrace, i.e. handle the damn exception!

Now the only way I can see is to override the TokenEndpoint and catch the exception.

Any better ideas?

Pete
  • 10,720
  • 25
  • 94
  • 139
  • 1
    I think you can alter this behavior by setting a different exceptiontranslator on the endpoint using setProviderExceptionHandler. See https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java – flup Nov 13 '13 at 09:11

1 Answers1

9

You could write a ExceptionMapper for that specific Exception and do whatever you want with the request. The ExceptionMapper handles the Response whenever the defined exception is thrown from your endpoint methods.

import javax.ws.rs.core.Response;
import javax.ws.rs.ext.ExceptionMapper;
import javax.ws.rs.ext.Provider;

@Provider
public class MyExceptionMapper implements ExceptionMapper<InvalidGrantException>
{
    @Override
    public Response toResponse(InvalidGrantException exception)
    {
        return Response.status(Response.Status.BAD_REQUEST).build(); 
    }
}

EDIT 18.11.2013:

I guess you could always you override the EntryPoint class (as seen in this StackOverflow Question).

An customized OAuth2ExceptionRenderer (see SO: Customize SpringSecurity OAuth2 Error Output would work too.

Community
  • 1
  • 1
dube
  • 4,898
  • 2
  • 23
  • 41
  • Thanks for your answer, I'll try that. But how does my web app know about this exception mapper? when is it executed? Or does spring web pick up all those `ExceptionMapper` implementations and execute them whenever the exception is thrown? – Pete Oct 15 '13 at 12:25
  • Yes, it should picked up because of the '@Provider' annotation. You might need to add the '@Singleton' annotation (or add it to the application.xml, if you use XML configuration), but I'm not sure of that – dube Oct 15 '13 at 12:56
  • Won't work, as I expected. The exception is handled inside the spring security part of the chain and thus cannot be caught on the outside. – Pete Nov 12 '13 at 08:13
  • 2
    Couldn't test any of your new proposals yet, as I am currently working on something else. I'll award the bounty to you for your effort but will only accept the answer if it actually works. Might be, someone else stumbles across this and knows from their own experience what to do. PS: I've had this question up on the spring forums for months now with no answer.. Can't believe nobody has ever noticed or cares. – Pete Nov 20 '13 at 09:36