BearerTokenAuthenticationEntryPoint uses context path

Closes gh-18528

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPoint.java

@@ -98,9 +98,11 @@ public final class BearerTokenAuthenticationEntryPoint implements Authentication
 	}
 
 	private static String getResourceMetadataParameter(HttpServletRequest request) {
+		String path = request.getContextPath()
+				+ OAuth2ProtectedResourceMetadataFilter.DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI;
 		// @formatter:off
 		return UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(request))
-				.replacePath(OAuth2ProtectedResourceMetadataFilter.DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI)
+				.replacePath(path)
 				.replaceQuery(null)
 				.fragment(null)
 				.build()

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPointTests.java

@@ -65,6 +65,18 @@ public class BearerTokenAuthenticationEntryPointTests {
 				"Bearer realm=\"test\", resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\"");
 	}
 
+	@Test
+	public void commenceWhenNoBearerTokenErrorAndContextPathSetThenStatus401AndAuthHeaderWithContextPath() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setContextPath("/ctx");
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		this.authenticationEntryPoint.commence(request, response, new BadCredentialsException("test"));
+		assertThat(response.getStatus()).isEqualTo(401);
+		assertThat(response.getHeader("WWW-Authenticate"))
+			.isEqualTo("Bearer resource_metadata=\"http://localhost/ctx/.well-known/oauth-protected-resource\"");
+
+	}
+
 	@Test
 	public void commenceWhenInvalidRequestErrorThenStatus400AndHeaderWithError() throws Exception {
 		MockHttpServletRequest request = new MockHttpServletRequest();