0

I have configured my spring security bean as follow:

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
            JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRoleConverter(request));
        return http
                .cors().and()
                .exceptionHandling()
                .authenticationEntryPoint(userAuthenticationEntryPoint)
                .and()
                .addFilterAfter(new UserIdentityContextFilter(contextHolder), BearerTokenAuthenticationFilter.class)
                .authorizeHttpRequests(
                        authorize -> authorize
//                                .requestMatchers(HttpMethod.OPTIONS).permitAll()
                                .requestMatchers("/v1/corporate/{corporateId}/process-executor/**").access(corporateAuthManager)
                                .requestMatchers("/v1/**").authenticated()
                                .anyRequest().denyAll()
                )
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().csrf().disable()
                .oauth2ResourceServer(oauth2 ->
                        oauth2.jwt().jwtAuthenticationConverter(jwtAuthenticationConverter)
                )
                .build();
    }

My UserAuthenticationEntryPoint is as follow:

import com.ba.cms.admin.dtos.ExceptionBean;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.http.MediaType;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;

import java.io.IOException;
import java.io.OutputStream;

@Component
public class UserAuthenticationEntryPoint implements AuthenticationEntryPoint {

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
                         AuthenticationException authException) throws IOException, ServletException {
//        ApiResponse apiResponse = new ApiResponse(401, "Unauthorized. Token is expired", false);
        ExceptionBean bean = new ExceptionBean(401, "Unauthorized. Token is expired");
        OutputStream outputStream = response.getOutputStream();
        ObjectMapper mapper = new ObjectMapper();
        mapper.writeValue(outputStream, bean);
        outputStream.flush();
    }

}

However when I try with a jwt token which has expired I'm expecting my UserAuthenticationEntryPoint's commence will be called. Unfortunately it is not being called and getting 401 http error response with "Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Jwt expired at 2023-04-04T10:11:40Z", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"" error in WWW-Authenticate http header.

Assaduzzaman Assad
  • 57
  • 7
  • Does this answer your question? [Why isn't my CustomAuthenticationEntryPoint commence method getting called for invalid or expired JWT tokens in Java?](https://stackoverflow.com/questions/75682243/why-isnt-my-customauthenticationentrypoint-commence-method-getting-called-for-i) – Marcus Hert da Coregio Apr 06 '23 at 13:46

0 Answers0