pagopa · oleksiybozhykntt · Sep 24, 2024 · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024
@@ -1,5 +1,6 @@
 package it.gov.pagopa.arc.config;
 
+import it.gov.pagopa.arc.security.CustomAuthenticationFailureHandler;
 import it.gov.pagopa.arc.security.CustomEntryPoint;
 import it.gov.pagopa.arc.security.CustomLogoutHandler;
 import it.gov.pagopa.arc.security.CustomLogoutSuccessHandler;
@@ -49,6 +50,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                     .baseUri("/token/oneidentity*")
             )
             .successHandler(customAuthenticationSuccessHandler)
+            .failureHandler(new CustomAuthenticationFailureHandler())
         )
         .logout(
             logout ->
@@ -60,6 +62,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         .exceptionHandling(exceptionHandling -> exceptionHandling
             .authenticationEntryPoint(new CustomEntryPoint())
         )
+
         .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
         .authorizeHttpRequests(authorize -> authorize
 

@@ -0,0 +1,21 @@
+package it.gov.pagopa.arc.security;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+@Slf4j
+public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler {
+
+  @Override
+  public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
+      throws IOException {
+    response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+    response.setContentType("application/json");
+    response.getWriter().write("{\"error\": \"Authentication Failed\"}");
+    log.info("Authentication Failed " + exception.getMessage());
+  }
+
+}
@@ -11,9 +11,16 @@ public class CustomEntryPoint implements AuthenticationEntryPoint {
   @Override
   public void commence(HttpServletRequest request, HttpServletResponse response,
       AuthenticationException authException) throws IOException {
-    response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
-    response.setContentType("application/json");
-    response.getWriter().write("{\"error\": \"Unauthorized access, please login.\"}");
+    if(response.getStatus() == 404){
+      response.setStatus(HttpServletResponse.SC_NOT_FOUND);
+      response.setContentType("application/json");
+      response.getWriter().write("{\"error\": \"Resource not found\"}");
+    } else {
+      response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+      response.setContentType("application/json");
+      response.getWriter().write("{\"error\": \"Unauthorized access, please login.\"}");
+    }
+
   }
 
 }
@@ -1,6 +1,5 @@
 package it.gov.pagopa.arc.config;
 
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import it.gov.pagopa.arc.controller.generated.ArcAuthApi;
@@ -54,15 +53,13 @@ class OAuth2LoginConfigTest {
     @Test
     void givenURLWithoutCodeAndStateWhenWithoutAccessTokenThenRedirectToLogin() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.get("/token/oneidentity"))
-                .andExpect(status().is3xxRedirection())
-                .andExpect(redirectedUrl("/login?error"));
+                .andExpect(status().is(400));
     }
 
     @Test
     void givenURLWhenWithoutAccessTokenThenRedirectToLogin() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.get("/token/oneidentity?code=fakeCode&state=fakeState"))
-                .andExpect(status().is3xxRedirection())
-                .andExpect(redirectedUrl("/login?error"));
+                .andExpect(status().is(400));
     }
 
     @Test

@@ -0,0 +1,37 @@
+package it.gov.pagopa.arc.security;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.security.core.AuthenticationException;
+
+@ExtendWith(MockitoExtension.class)
+class CustomAuthenticationFailureHandlerTest {
+  @Mock
+  private HttpServletRequest request;
+
+  @Mock
+  private HttpServletResponse response;
+  @Mock
+  private AuthenticationException authException;
+
+  private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;
+  @Test
+  void onAuthenticationFailure() throws IOException {
+    PrintWriter writer = mock(PrintWriter.class);
+    when(response.getWriter()).thenReturn(writer);
+
+    customAuthenticationFailureHandler = new CustomAuthenticationFailureHandler();
+    customAuthenticationFailureHandler.onAuthenticationFailure(request,response,authException);
+    verify(response).setStatus(HttpServletResponse.SC_BAD_REQUEST);
+  }
+}
@@ -28,6 +28,17 @@ class CustomEntryPointTest {
 
   private CustomEntryPoint customEntryPoint;
 
+  @Test
+  void givenExceptionDuringRequestValidationThenReturn404() throws IOException {
+    PrintWriter writer = mock(PrintWriter.class);
+    when(response.getWriter()).thenReturn(writer);
+    when(response.getStatus()).thenReturn(404);
+
+    customEntryPoint = new CustomEntryPoint();
+    customEntryPoint.commence(request,response,authException);
+    verify(response).setStatus(HttpServletResponse.SC_NOT_FOUND);
+  }
+
   @Test
   void givenExceptionDuringRequestValidationThenReturn401() throws IOException {
     PrintWriter writer = mock(PrintWriter.class);

@@ -167,7 +167,7 @@ void givenInvalidStateThenRequestAccessToken() throws Exception {
             .andReturn();
 
         Assertions.assertNotNull(secondTimeToken);
-        Assertions.assertEquals(302, secondTimeToken.getResponse().getStatus());
+        Assertions.assertEquals(400, secondTimeToken.getResponse().getStatus());
 
     }
 
@@ -202,7 +202,7 @@ void givenAlreadyUsedStateThenRequestAccessToken() throws Exception {
         Assertions.assertNotNull(token);
         Assertions.assertNotNull(firstTimeToken);
         Assertions.assertNotNull(secondTimeToken);
-        Assertions.assertEquals(302, secondTimeToken.getResponse().getStatus());
+        Assertions.assertEquals(400, secondTimeToken.getResponse().getStatus());
     }
 
     @Test
@@ -220,7 +220,7 @@ void givenAnEmptyStateThenRequestAccessToken() throws Exception {
 
         MvcResult tokenResult = mockMvc.perform(get(TOKEN_URL)
                 .param("code","code"))
-            .andExpect(status().is3xxRedirection())
+            .andExpect(status().is(400))
             .andReturn();
         Assertions.assertNotNull(tokenResult);
     }