One Time Token Authentication Failure Handler

[joaquinjsb]

Expected Behavior

when the request resolver doesn't match, the filter should have a handler for failure for the user to customize.

Current Behavior

an error 404 page appears because it's not managed, a simple redirect strategy would do it.

7.0.0-SNAPSHOT

[joaquinjsb]

I can create a PR if needed.

[jzheaux]

Thanks for the suggestion, @joaquinjsb.

The semantics of the request resolver returning null is that it is abstaining, not erroring. As such, the request handling implications of this:

if (!this.requestMatcher.matches(request)) {
    chain.doFilter(request, response);
    return;
}

are the same as this:

GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request);
if (generateRequest == null) {
    chain.doFilter(request, response);
    return;
}

IOW, if either of these does not match, then a downstream filter or servlet should handle the request. This is true in general of Spring Security filters as well, and a resulting 404 correctly indicates that your application is not handling requests like these.

You may want to consider adding something like:

.anyRequest().authenticated()

to your application so that this returns a 403 instead.

[joaquinjsb]

thanks for the feedback, I'll apply a filter.

thanks!