In Spring Security, when it comes to authentication, AuthenticationExeption
occurs, and I know that logic such as redirection is performed through AuthenticationEntryPoint
. And Authorization exception
throws AccessDeniedException
and AccessDeniedHandler
handles it.
However, both of these are objects that are responsible for processing logic for specific exceptions, so I don't know why they are created as objects with different names, EntryPoint and Handler. The function to override when inheriting EntryPoint and the function to implement when inheriting Handler are even the same form.
public interface AuthenticationEntryPoint {
void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException;
}
public interface AccessDeniedHandler {
void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException)
throws IOException, ServletException;
}
Why does Spring Security not handle exceptions with a single object called handler, but separate Entrypoint objects? I'm curious about the difference between the two.
Two different names for two different uses cases:
See Spring Security Reference:
Handling Security Exceptions
The
ExceptionTranslationFilter
allows translation ofAccessDeniedException
andAuthenticationException
into HTTP responses.
ExceptionTranslationFilter
is inserted into the FilterChainProxy as one of the Security Filters.The following image shows the relationship of
ExceptionTranslationFilter
to other components:
First, the
ExceptionTranslationFilter
invokesFilterChain.doFilter(request, response)
to invoke the rest of the application.If the user is not authenticated or it is an
AuthenticationException
, then Start Authentication.
The SecurityContextHolder is cleared out.
The
HttpServletRequest
is saved so that it can be used to replay the original request once authentication is successful.The
AuthenticationEntryPoint
is used to request credentials from the client. For example, it might redirect to a log in page or send aWWW-Authenticate
header.Otherwise, if it is an
AccessDeniedException
, then Access Denied. TheAccessDeniedHandler
is invoked to handle access denied.If the application does not throw an
AccessDeniedException
or anAuthenticationException
, thenExceptionTranslationFilter
does not do anything.