Add WWW-Authenticate header for 401 and 403 requests

jimmyjames · jimmyjames · commit c367fc4e8107 · 2020-06-09T11:02:43.000-05:00
diff --git a/lib/src/main/java/com/auth0/spring/security/api/JwtAccessDeniedHandler.java b/lib/src/main/java/com/auth0/spring/security/api/JwtAccessDeniedHandler.java
@@ -0,0 +1,22 @@
+package com.auth0.spring.security.api;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * Custom handler for access denied exceptions.
+ */
+class JwtAccessDeniedHandler extends AccessDeniedHandlerImpl {
+
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        response.addHeader(HttpHeaders.WWW_AUTHENTICATE, "Bearer error=\"Insufficient scope\"");
+        super.handle(request, response, accessDeniedException);
+    }
+}
diff --git a/lib/src/main/java/com/auth0/spring/security/api/JwtAuthenticationEntryPoint.java b/lib/src/main/java/com/auth0/spring/security/api/JwtAuthenticationEntryPoint.java
@@ -1,5 +1,6 @@
 package com.auth0.spring.security.api;
 
+import org.springframework.http.HttpHeaders;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 
@@ -9,8 +10,14 @@
 import java.io.IOException;
 
 public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
     @Override
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
+        response.addHeader(
+                HttpHeaders.WWW_AUTHENTICATE,
+                "Bearer error=\"Invalid access token\""
+        );
+
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Unauthorized");
     }
 }
diff --git a/lib/src/main/java/com/auth0/spring/security/api/JwtWebSecurityConfigurer.java b/lib/src/main/java/com/auth0/spring/security/api/JwtWebSecurityConfigurer.java
@@ -103,6 +103,7 @@ public HttpSecurity configure(HttpSecurity http) throws Exception {
                 .and()
                 .exceptionHandling()
                 .authenticationEntryPoint(new JwtAuthenticationEntryPoint())
+                .accessDeniedHandler(new JwtAccessDeniedHandler())
                 .and()
                 .httpBasic().disable()
                 .csrf().disable()
diff --git a/lib/src/test/java/com/auth0/spring/security/api/JwtAuthenticationEntryPointTest.java b/lib/src/test/java/com/auth0/spring/security/api/JwtAuthenticationEntryPointTest.java
@@ -19,7 +19,10 @@ public void shouldReturnUnauthorized() throws Exception {
         AuthenticationException exception = mock(AuthenticationException.class);
 
         entryPoint.commence(request, response, exception);
+        verify(response).addHeader(
+                "WWW-Authenticate",
+                "Bearer error=\"Invalid access token\""
+        );
         verify(response).sendError(401, "Unauthorized");
     }
-
 }

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,10 @@ public void shouldReturnUnauthorized() throws Exception {`
`19`	`19`	`AuthenticationException exception = mock(AuthenticationException.class);`
`20`	`20`
`21`	`21`	`entryPoint.commence(request, response, exception);`
	`22`	`+ verify(response).addHeader(`
	`23`	`+ "WWW-Authenticate",`
	`24`	`+ "Bearer error=\"Invalid access token\""`
	`25`	`+ );`
`22`	`26`	`verify(response).sendError(401, "Unauthorized");`
`23`	`27`	`}`
`24`		`-`
`25`	`28`	`}`