Proposed fix for missing WWW-Authenticate header

lucian-pkb · lucian-pkb · commit ea6a6c4a26d2 · 2025-01-15T14:08:27.000+01:00
Current implementation does not include the WWW-Authenticate
header when returning a 401 for missing/invalid credentials when
attempting to access the token endpoints. This PR would change
to use the standard BasicAuthenticationEntryPoint in order to
populate this header correctly.

Signed-off-by: Lucian Holland &lt;lucian@symposion.co.uk&gt;

Fixes-468
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java
@@ -27,7 +27,6 @@
 import org.springframework.context.event.GenericApplicationListenerAdapter;
 import org.springframework.context.event.SmartApplicationListener;
 import org.springframework.http.HttpMethod;
-import org.springframework.http.HttpStatus;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -48,8 +47,8 @@
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter;
-import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
 import org.springframework.security.web.context.SecurityContextHolderFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
@@ -87,6 +86,8 @@ public final class OAuth2AuthorizationServerConfigurer
 
 	private RequestMatcher endpointsMatcher;
 
+	private String realm = "oauth2/client";
+
 	/**
 	 * Returns a new instance of {@link OAuth2AuthorizationServerConfigurer} for
 	 * configuring.
@@ -277,6 +278,16 @@ public OAuth2AuthorizationServerConfigurer oidc(Customizer<OidcConfigurer> oidcC
 		return this;
 	}
 
+	/**
+	 * Configures the default realm value to be return in the WWW-Authenticate header
+	 * @param realm the authentication realm for this server
+	 * @return the {@link OAuth2AuthorizationServerConfigurer} for further configuration
+	 */
+	public OAuth2AuthorizationServerConfigurer realm(String realm) {
+		this.realm = realm;
+		return this;
+	}
+
 	/**
 	 * Returns a {@link RequestMatcher} for the authorization server endpoints.
 	 * @return a {@link RequestMatcher} for the authorization server endpoints
@@ -344,7 +355,9 @@ public void init(HttpSecurity httpSecurity) throws Exception {
 		ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = httpSecurity
 			.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptionHandling != null) {
-			exceptionHandling.defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
+			var entryPoint = new BasicAuthenticationEntryPoint();
+			entryPoint.setRealmName(this.realm);
+			exceptionHandling.defaultAuthenticationEntryPointFor(entryPoint,
 					new OrRequestMatcher(getRequestMatcher(OAuth2TokenEndpointConfigurer.class),
 							getRequestMatcher(OAuth2TokenIntrospectionEndpointConfigurer.class),
 							getRequestMatcher(OAuth2TokenRevocationEndpointConfigurer.class),
