From 67dbdcb81fe5a32ae63b847b005e0f9767c38e8b Mon Sep 17 00:00:00 2001 From: haynescd Date: Thu, 1 Feb 2024 12:16:24 -0500 Subject: [PATCH] :lock: Add 401 response when not authorized exception is thrown instead of redirect --- .../cbioportal/security/config/ApiSecurityConfig.java | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java b/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java index dcc1a24109f..54e6d5be47c 100644 --- a/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java +++ b/src/main/java/org/cbioportal/security/config/ApiSecurityConfig.java @@ -8,6 +8,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.http.HttpStatus; import org.springframework.lang.Nullable; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; @@ -15,7 +16,9 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.web.SecurityFilterChain; +import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.context.SecurityContextPersistenceFilter; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @Configuration @ConditionalOnProperty(name = "authenticate", havingValue = {"false", "noauthsessionservice", "optional_oauth2"}, isNot = true) @@ -40,8 +43,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http, @Nullable Data .anyRequest().authenticated() ) .sessionManagement(sessionManagement -> sessionManagement.sessionFixation().migrateSession()) - .exceptionHandling(exceptionHandling -> exceptionHandling - .authenticationEntryPoint(restAuthenticationEntryPoint()) + .exceptionHandling(eh -> + eh.defaultAuthenticationEntryPointFor( + new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), AntPathRequestMatcher.antMatcher("/api/**") + ) ); // When dat.method is not 'none' and a tokenService bean is present, // the apiTokenAuthenticationFilter is added to the filter chain.