Spring WEB MVC + produces = MediaType.IMAGE_JPEG_VALUE + @ResponseStatus(HttpStatus.FORBIDDEN) = HTTP status 406

Question

I'm writing some code for user authorization. For users with 2 factored authorization enabled I'm writing code for 2fa secret update:

@RestController
public class CurrentUserController {

    @PostMapping(value = "update-2fa-secret", produces = MediaType.IMAGE_JPEG_VALUE)
    public byte[] update2FaSecret() {
        UserEntity user = userRepository.findOne(currentUserId);
        if (user.is2FaEnabled() != Boolean.TRUE)
            throw new HttpForbiddenException("2fa disabled for current user");
        String secret = createNewSecret();
        user.setSecret2Fa(secret);
        userRepository.save(user);
        return createQRCode(secret, user.getEmail());
    }
}

And Exception:

@ResponseStatus(HttpStatus.FORBIDDEN)
public class HttpForbiddenException extends RuntimeException {
............
}

And when Exception happens I get response from the server with 406 Http status and without body (content).

I don't understand why this happens and how to solve it. Can somebody explain it to me please?

406 means content not acceptable, see https://stackoverflow.com/questions/14251851/what-is-406-not-acceptable-response-in-http, may add appropriate Content-Type header — sagarr, Dec 22 '17 at 14:54
`@PostMapping`, what are you posting to your controller method? — Rana_S, Dec 22 '17 at 16:21
@Rossi I decided to use `POST` here because in case with `GET` it's possible to provide a link, using Skype for example, which change 2fa secret of current user without need. — Bohdan Petrenko, Dec 22 '17 at 16:59

Bohdan Petrenko · Accepted Answer · 2017-12-26T15:17:35.893

I've solved this issue in the next way:

@RestController
public class CurrentUserController {

    @PostMapping(value = "update-2fa-secret", produces = MediaType.IMAGE_JPEG_VALUE)
    public byte[] update2FaSecret(HttpServletResponse response) {
        UserEntity user = userRepository.findOne(currentUserId);
        if (user.is2FaEnabled() != Boolean.TRUE) { //fix is here
            response.setStatus(HttpStatus.FORBIDDEN.value()); //403
            return new byte[0];
        }            
        String secret = createNewSecret();
        user.setSecret2Fa(secret);
        userRepository.save(user);
        return createQRCode(secret, user.getEmail());
    }
}

Spring WEB MVC + produces = MediaType.IMAGE_JPEG_VALUE + @ResponseStatus(HttpStatus.FORBIDDEN) = HTTP status 406

1 Answers1