Avoid Exception Message in HTTP Response

Fixes gh-4587

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilter.java

@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.client.web;
 
+import org.springframework.http.HttpStatus;
 import org.springframework.security.crypto.keygen.StringKeyGenerator;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -148,7 +149,7 @@ public class AuthorizationCodeRequestRedirectFilter extends OncePerRequestFilter
 		if (logger.isDebugEnabled()) {
 			logger.debug("Authorization Request failed: " + failed.toString(), failed);
 		}
-		response.sendError(HttpServletResponse.SC_BAD_REQUEST, failed.getMessage());
+		response.sendError(HttpStatus.BAD_REQUEST.value(), HttpStatus.BAD_REQUEST.getReasonPhrase());
 	}
 
 	private String expandRedirectUri(HttpServletRequest request, ClientRegistration clientRegistration) {

web/src/main/java/org/springframework/security/web/access/AccessDeniedHandlerImpl.java

@@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.WebAttributes;
 
@@ -65,15 +66,15 @@ public class AccessDeniedHandlerImpl implements AccessDeniedHandler {
 						accessDeniedException);
 
 				// Set the 403 status code.
-				response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+				response.setStatus(HttpStatus.FORBIDDEN.value());
 
 				// forward to error page.
 				RequestDispatcher dispatcher = request.getRequestDispatcher(errorPage);
 				dispatcher.forward(request, response);
 			}
 			else {
-				response.sendError(HttpServletResponse.SC_FORBIDDEN,
-						accessDeniedException.getMessage());
+				response.sendError(HttpStatus.FORBIDDEN.value(),
+					HttpStatus.FORBIDDEN.getReasonPhrase());
 			}
 		}
 	}

web/src/main/java/org/springframework/security/web/authentication/SimpleUrlAuthenticationFailureHandler.java

@@ -24,6 +24,7 @@ import javax.servlet.http.HttpSession;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.WebAttributes;
 import org.springframework.security.web.DefaultRedirectStrategy;
@@ -74,8 +75,8 @@ public class SimpleUrlAuthenticationFailureHandler implements
 		if (defaultFailureUrl == null) {
 			logger.debug("No failure URL set, sending 401 Unauthorized error");
 
-			response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
-					"Authentication Failed: " + exception.getMessage());
+			response.sendError(HttpStatus.UNAUTHORIZED.value(),
+				HttpStatus.UNAUTHORIZED.getReasonPhrase());
 		}
 		else {
 			saveException(request, exception);

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPoint.java

@@ -22,6 +22,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.beans.factory.InitializingBean;
@@ -57,8 +58,7 @@ public class BasicAuthenticationEntryPoint implements AuthenticationEntryPoint,
 	public void commence(HttpServletRequest request, HttpServletResponse response,
 			AuthenticationException authException) throws IOException, ServletException {
 		response.addHeader("WWW-Authenticate", "Basic realm=\"" + realmName + "\"");
-		response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
-				authException.getMessage());
+		response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
 	}
 
 	public String getRealmName() {

web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationEntryPoint.java

@@ -27,6 +27,7 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.core.Ordered;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 
@@ -109,8 +110,8 @@ public class DigestAuthenticationEntryPoint implements AuthenticationEntryPoint,
 		}
 
 		httpResponse.addHeader("WWW-Authenticate", authenticateHeader);
-		httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
-				authException.getMessage());
+		httpResponse.sendError(HttpStatus.UNAUTHORIZED.value(),
+			HttpStatus.UNAUTHORIZED.getReasonPhrase());
 	}
 
 	public String getKey() {

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationEntryPointTests.java

@@ -18,6 +18,7 @@ package org.springframework.security.web.authentication.www;
 
 import org.junit.Test;
 
+import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.DisabledException;
@@ -65,11 +66,10 @@ public class BasicAuthenticationEntryPointTests {
 
 		// ep.afterPropertiesSet();
 
-		String msg = "These are the jokes kid";
-		ep.commence(request, response, new DisabledException(msg));
+		ep.commence(request, response, new DisabledException("These are the jokes kid"));
 
 		assertThat(response.getStatus()).isEqualTo(401);
-		assertThat(response.getErrorMessage()).isEqualTo(msg);
+		assertThat(response.getErrorMessage()).isEqualTo(HttpStatus.UNAUTHORIZED.getReasonPhrase());
 
 		assertThat(response.getHeader("WWW-Authenticate"))
 				.isEqualTo("Basic realm=\"hello\"");