I have a RESTful security based OAuth2 application based on Spring. I am trying to change the standard Spring Security message formats from XML to JSON and have partially achieved this.
For example, I found out how to change the response format when the request does not contain a carrier token (next line)
<bean id="oauthAuthenticationEntryPoint" class ="csmsecurity.CustomAuthenticationEntryPoint" />
But I can not understand how to catch / change the format of the following two elements.
When an invalid token is passed in a secure URL, Spring Security currently discards. Where can I change this format?
{"error": "invalid_token","error_description": "Invalid access token: 144285e3-9563-420e-8ce"}
How to change JSON format of BadCredentialsException? Does it currently return JSON similar to the above?
Below is my applicationContext.xml
<sec:http pattern="/oauth/token" create-session="stateless" use-expressions="true" authentication-manager-ref="authenticationManager"> <sec:csrf disabled="true" /> <sec:anonymous enabled="false" /> <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" /> <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" /> <sec:access-denied-handler ref="oauthAccessDeniedHandler" /> </sec:http> <sec:authentication-manager alias="authenticationManager" erase-credentials="false"> <sec:authentication-provider user-service-ref="clientDetailsUserService" /> </sec:authentication-manager> <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <constructor-arg ref="clientDetails" /> </bean> <bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint"> <property name="realmName" value="Oauth 2 security" /> <property name="typeName" value="Basic" /> </bean> <bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter"> <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="oauthAccessDeniedHandler" class="csmsecurity.CustomAccessDeniedHandler" /> <sec:http pattern="/api/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" use-expressions="true" > <sec:csrf disabled="true" /> <sec:anonymous enabled="false" /> <sec:intercept-url pattern="/api/**" access="hasRole('ROLE_ADMIN')" /> <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <sec:access-denied-handler ref="oauthAccessDeniedHandler" /> </sec:http> <bean id="oauthAuthenticationEntryPoint" class ="csmsecurity.CustomAuthenticationEntryPoint" /> <oauth:resource-server id="resourceServerFilter" resource-id="springsec" token-services-ref="tokenServices" /> <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" > <property name="tokenStore" ref="tokenStore" /> <property name="supportRefreshToken" value="true" /> <property name="accessTokenValiditySeconds" value="300000" /> <property name="clientDetailsService" ref="clientDetails" /> </bean> <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore"> <constructor-arg ref="dataSource" /> </bean> <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"> <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password authentication-manager-ref="userAuthenticationManager" /> </oauth:authorization-server> <sec:authentication-manager id="userAuthenticationManager"> <sec:authentication-provider ref="customUserDetailsService" /> </sec:authentication-manager>
source share