java - Spring security: Failed authentication with more details

Question

I'm trying to get the exact motive for a failed autentication (i.e wrong password, user doesn't exist, and so on) problem is, no matter how I try do simulate this actions I always get "Full authentication is required to access this resource", how can I get a more detailed exception ? TKS in advance !

Here's my code:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    UserService userService;

    @Autowired
    UnauthorizedCustomResponse unauthorizedCustomResponse;

    @Autowired
    AccessDeniedCustomResponse accessDeniedCustomResponse;

    @Autowired
    CryptographyService cryptographyService;

    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder
                .userDetailsService(userService)
                .passwordEncoder(cryptographyService.getCryptography());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors().and().csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/api/auth/signin", "/api/public/**", "/api/private/**").permitAll()
                .anyRequest().authenticated()
                .and()
                .exceptionHandling()
                .authenticationEntryPoint(unauthorizedCustomResponse)
                .accessDeniedHandler(accessDeniedCustomResponse)
                .and()
                .httpBasic();
    }

}

@Component
public class AccessDeniedCustomResponse implements AccessDeniedHandler {

    private final Logger logger = LogManager.getLogger(this.getClass());

    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException exception)
            throws IOException, ServletException {

        logger.error("Usuário n?o autenticado: {}", exception.getMessage());
        CustomException customException = new CustomException(CustomExceptionMessage.CUSTOM_EXCEPTION_NOT_MAPPED, exception);
        customException.flush(response);
    }
}

@Component
public class UnauthorizedCustomResponse implements AuthenticationEntryPoint {

    private final Logger logger = LogManager.getLogger(this.getClass());

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
            throws IOException, ServletException {

        logger.error("Acesso n?o autorizado: {}", exception.getMessage());
        CustomException customException = new CustomException(CustomExceptionMessage.ACCESS_DENIED, exception);
        customException.flush(response);

    }
}

Answer 1

You can analyze the specific exception that was thrown from the AuthenticationException superclass and act accordingly:

@Component
public class UnauthorizedCustomResponse implements AuthenticationEntryPoint {

    private final Logger logger = LogManager.getLogger(this.getClass());

    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
            throws IOException, ServletException {

         if(exception.getClass().isAssignableFrom(UsernameNotFound.class)) {
            //Username not found
      }
      else if (exception.getClass().isAssignableFrom(BadCredentials.class)) {         
          //Bad credentials error
      }
      else if (exception.getClass().isAssignableFrom(AccountStatusException.class)) {       
          //Accound status exception 
      }

        logger.error("Acesso n?o autorizado: {}", exception.getMessage());
        CustomException customException = new CustomException(CustomExceptionMessage.ACCESS_DENIED, exception);
        customException.flush(response);

    }
}

You can find a better list of AuthenticationException known subclasses here: https://docs.spring.io/spring-security/site/docs/4.2.19.RELEASE/apidocs/org/springframework/security/core/AuthenticationException.html