Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Boot 3: ResponseStatusException does not work #33934

Closed
xuanswe opened this issue Jan 22, 2023 · 5 comments
Closed

Spring Boot 3: ResponseStatusException does not work #33934

xuanswe opened this issue Jan 22, 2023 · 5 comments
Labels
status: invalid An issue that we don't feel is valid

Comments

@xuanswe
Copy link

xuanswe commented Jan 22, 2023
edited
Loading

  1. Download generated code from https://start.spring.io
    image

  2. Replace content of DemoApplication.kt with the following code

@SpringBootApplication
class DemoApplication

fun main(vararg args: String) {
  SpringApplication.run(DemoApplication::class.java, *args)
}

@RestController
class HelloController {
  @GetMapping("/public-api/hello")
  fun hello(@RequestParam error: Boolean = false) =
    if (error)
      throw ResponseStatusException(HttpStatus.BAD_REQUEST)
    else
      ResponseEntity.ok().build<Unit>()
}

@Configuration
@EnableWebSecurity
class SecurityConfig {
  @Bean
  fun securityFilterChain(http: HttpSecurity) = http
    .csrf().disable()
    .httpBasic().disable()
    .authorizeHttpRequests { requests ->
      requests
        .requestMatchers("/public-api/**").permitAll()
        .anyRequest().authenticated()
    }
    .build()
}
  1. PROBLEM: Request http://localhost:8080/public-api/hello?error=true returns "403 Forbidden"
  2. Now in build.gradle.kts, change id("org.springframework.boot") version "3.0.2" to id("org.springframework.boot") version "2.7.8"
  3. In DemoApplication.kt, change requestMatchers("/public-api/**") to antMatchers("/public-api/**") because requestMatchers is not available in Spring Boot 2.
  4. CORRECT: Request http://localhost:8080/public-api/hello?error=true returns "400 Bad Request" with body
{
    "timestamp": "2023-01-22T13:39:18.084+00:00",
    "status": 400,
    "error": "Bad Request",
    "path": "/public-api/hello"
}
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 22, 2023
@xuanswe xuanswe closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2023
@bclozel bclozel added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 22, 2023
@xuanswe xuanswe changed the title Spring Boot 3: requestMatchers doesn't not work Spring Boot 3: ResponseStatusException doesn't not work Jan 22, 2023
@xuanswe xuanswe reopened this Jan 22, 2023
@xuanswe xuanswe changed the title Spring Boot 3: ResponseStatusException doesn't not work Spring Boot 3: ResponseStatusException does not work Jan 22, 2023
@scottfrederick scottfrederick added status: waiting-for-triage An issue we've not yet triaged and removed status: invalid An issue that we don't feel is valid labels Jan 22, 2023
@philwebb
Copy link
Member

By default Spring Boot 3.0 also applies security to error dispatches. In your example, the .requestMatchers("/public-api/**") filter is working but there's no equivalent rule for permitting errors.

Try adding:

requests.requestMatchers("/error").permitAll();

to your configuration.

@philwebb philwebb closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2023
@philwebb philwebb added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 22, 2023
@xuanswe
Copy link
Author

xuanswe commented Jan 23, 2023

@philwebb nice. It works. Thanks!
So, in Spring 2, /error is allowed regardless of custom authorizeHttpRequests.
In Spring 3, if there's a custom authorizeHttpRequests, the default security rules are disabled. Therefore, we need to explicitly redefine them.

This was referenced Feb 23, 2023
Closed
Closed
@mbhave
Copy link
Contributor

mbhave commented Feb 23, 2023
edited
Loading

@xuan-nguyen-swe The reason why /error worked in 2.x was because we had a custom filter which checked if a user should be granted access to the error page or not. In Spring Boot 3.0, we removed the custom filter to align with Spring Security's defaults which always apply the security filter to the error dispatch.

One thing to note is that, adding permitAll to the /error page is not quite the same as the getting the behavior from Spring Boot 2.7.x back. permitAll() allows anyone to access the error page while in Spring Boot 2.7, the default was only to allow access to the error page if access to the original request was allowed. It's good to verify that public access to the error page is okay before adding permitAll. I've created an issue in Spring Security to see if this can be fixed there.

@izeye

This comment was marked as resolved.

Sign in to view
@mbhave

This comment was marked as resolved.

Sign in to view
@philwebb philwebb mentioned this issue Mar 14, 2023
Closed
@marcusdacoregio marcusdacoregio mentioned this issue Jul 12, 2023
Closed
@funnyJack funnyJack mentioned this issue Apr 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@scottfrederick @bclozel @philwebb @izeye @mbhave @spring-projects-issues @xuanswe