@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { MfaProvider provider = null; try { if (isGrantTypeSupported(request.getParameter(GRANT_TYPE))) { provider = checkMfaCode(request); UaaUser user = getUaaUser(); if (provider != null) { publishEvent(new MfaAuthenticationSuccessEvent(user, getAuthentication(), provider.getType().toValue())); } } filterChain.doFilter(request, response); } catch (InsufficientAuthenticationException x) { handleException(new JsonError(400, "invalid_request", x.getMessage()), response); } catch (MissingMfaCodeException | UserMfaConfigDoesNotExistException e) { UaaUser user = getUaaUser(); publishEvent(new MfaAuthenticationFailureEvent(user, getAuthentication(), provider != null ? provider.getType().toValue() : "null")); handleException(new JsonError(400, "invalid_request", e.getMessage()), response); } catch (InvalidMfaCodeException e) { UaaUser user = getUaaUser(); publishEvent(new MfaAuthenticationFailureEvent(user, getAuthentication(), provider != null ? provider.getType().toValue() : "null")); handleException(new JsonError(401, "unauthorized", "Bad credentials"), response); } }