Custom Access Denied Handler?

[missbaloo]

Hi,

Using Spring Boot 2.x we had a custom access denied handler that was configured in a class extending the KeycloakWebSecurityConfigurerAdapter and overriding like below:

   @Override
    protected void configure(HttpSecurity http) throws Exception {
        ..
        http..
                .exceptionHandling().accessDeniedHandler(accessDeniedHandler())
                ..
    }
..
}

But now since I only configure these things in the application.yaml when using spring-addons-starter-oidc, how do I configure the access denied handler?
In this handler, I just do some extra logging:

public class CustomAccessDeniedHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException exc) {
        log.error("Keycloak CustomAccessDeniedHandler " + response.getStatus() + " " + request.getRequestURL(), exc);
        logRequestDetails(request);
    }

    private void logRequestDetails(HttpServletRequest request) {
        List<String> info = new LinkedList<>();
        info.add("AuthType: " + request.getAuthType());
        info.add("Client IP: " + request.getRemoteAddr());
        if(request.getUserPrincipal() != null) {
            info.add("UserPrincipal: " + request.getUserPrincipal().toString());
        }

        Enumeration<String> headerNames = request.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String headerName = headerNames.nextElement();
            List<String> singleHeader = new LinkedList<>();
            Enumeration<String> headers = request.getHeaders(headerName);
            while (headers.hasMoreElements()) {
                String headerValue = headers.nextElement();
                singleHeader.add(headerValue);
            }
            info.add(headerName + "(" + String.join(",", singleHeader));
        }
        log.info(String.join(" --- ", info));
    }
}

I wonder if it is possible to accomplish the same thing with this plugin?
Thank you in advance!

[ch4mpy]

To understand all the extensions points for spring-addons-starter-oidc, start with the Spring Boot imports resource.

In the case of a servlet resource server, this will point you to SpringAddonsOidcResourceServerBeans. The first bean defined there is the SecurityFilterChain and is rather decently documented.

You should notice a httpPostProcessor parameter which is advertised as a "Hook to override all or part of HttpSecurity auto-configuration". So basically, if you expose a ResourceServerHttpSecurityPostProcessor bean, you can alter auto-configuration the way you like:

@Bean
ResourceServerHttpSecurityPostProcessor resourceServerHttpSecurityPostProcessor() {
	return (HttpSecurity httpSecurity) -> {
		httpSecurity.exceptionHandling(exceptionHandlingCustomizer -> {
			exceptionHandlingCustomizer.accessDeniedHandler(new CustomAccessDeniedHandler());
		});
		return httpSecurity;
	};
}

[missbaloo]

I actually did try this but didn't get it to work but it turned out to be a wrong logging configuration that caused it. Using this in combination with fixing that solved it for me. Thank you! Also, thanks for a great plugin in general, saved a lot of headache for me.