Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PathParamsResourceMapper throwing Error on requests for a non-existing path #11

Closed
reardonm opened this issue Jul 15, 2024 · 1 comment
Closed

PathParamsResourceMapper throwing Error on requests for a non-existing path #11

reardonm opened this issue Jul 15, 2024 · 1 comment

Comments

@reardonm
Copy link

Given a URL pattern-based authorization

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests(authorize -> authorize
                .requestMatchers("/api/**").access(new AsertoAuthorizationManager(authzCfg))
        return http.build();
    }

When a request is made to a non-existing url child path, the PathParamsResourceMapper throws an exception because it cannot find a given mapping for that URL:

com.aserto.authorizer.mapper.resource.ResourceMapperError: Uri /api/foo does not match any mapping
	at com.aserto.authorizer.mapper.resource.PathParamsResourceMapper.getResource(PathParamsResourceMapper.java:39)
	at com.aserto.authorizer.AsertoAuthorizationManager.check(AsertoAuthorizationManager.java:113)
	at com.aserto.authorizer.AsertoAuthorizationManager.check(AsertoAuthorizationManager.java:83)
	at com.aserto.authorizer.AsertoAuthorizationManager.check(AsertoAuthorizationManager.java:71)
	at com.aserto.authorizer.AsertoAuthorizationManager.check(AsertoAuthorizationManager.java:60)
	at com.aserto.authorizer.AsertoAuthorizationManager.check(AsertoAuthorizationManager.java:28)
	at org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager.check(RequestMatcherDelegatingAuthorizationManager.java:82)
	at org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager.check(RequestMatcherDelegatingAuthorizationManager.java:45)
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:95)

This results in a 500 HTTP status response when nothing is wrong with the backend. The desired outcome is probably debatable, but the request should be some kind of 40x (e.g., 403 or 404) instead. Throwing a "ResourceMapperError" in PathParamsResourceMapper results in the need to add special handling for this case.

The fact that ResourceMapperError extends from java.lang.Error instead of java.lang.Exception also seems strange here. Although the Java convention for java.lang.Error is that it should indicate "serious problems that a reasonable application should not try to catch," the need to prevent a 500 status for this condition requires catching and handling ResourceMapperError.

Would it not be better for getResource to yield an empty Map instead here?
https://github.com/aserto-dev/aserto-spring/blob/main/src/main/java/com/aserto/authorizer/mapper/resource/PathParamsResourceMapper.java#L39

Thank you!
@ronenh ronenh mentioned this issue Aug 5, 2024
Merged
@ronenh
Copy link
Contributor

ronenh commented Aug 9, 2024

Fixed in #12 and released in v0.2.3

@ronenh ronenh closed this as completed Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reardonm @ronenh