0

I recently upgraded to spring boot 3 in an application with Thymeleaf, and my custom 403 pages are no longer working.

Prior to the upgrade, I believe this line was key: http.exceptionHandling().defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), new AntPathRequestMatcher("/**"));

Since the upgrade, when I'm not authenticated and try to access a restricted page, I just get this default error screen. This my security filter chain. enter image description here

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeHttpRequests(requests -> requests
                        .requestMatchers("/",
                                "/login",
                                "/css/**",
                                "/js/**",
                                "/images/**",
                                "/static/favicon.ico",
                                "/favicon.ico",
                                "/fullscreen").permitAll()
                        .anyRequest().authenticated()
                )
                .formLogin(form -> form
                        .loginPage("/login")
                        .permitAll()
                )
                .logout(logout -> logout
                        .logoutSuccessUrl("/logout-success")
                        .permitAll())
                .exceptionHandling()
                .defaultAuthenticationEntryPointFor(new Http403ForbiddenEntryPoint(), new AntPathRequestMatcher("/**"));
        return http.build();

When logged in, my 404 and 500 error pages work as expected. I think there is something missing in the way I setup the security filter chain that is preventing this custom 403 error page from working. I couldn't find any resources on how to achieve this with spring boot 3. Any suggestions?

larjae
  • 302
  • 3
  • 13
  • My custom error page is a styled page to match my application. Why would my application return the browser error page instead of the one from Spring? – larjae Jan 15 '23 at 22:29
  • What can I do to return my custom 403 page (located in errors/403.html) instead? – larjae Jan 17 '23 at 11:21
  • This is the solution I was using before where Spring + Thymeleaf automatically handled the error pages. https://stackoverflow.com/a/44515671/8509119 – larjae Jan 18 '23 at 02:44
  • Also, the reason I need to set `new Http403ForbiddenEntryPoint()` is so that it does not redirect to the login page when the user tries to access an unauthorized page. I want to return my 403 page instead. – larjae Jan 18 '23 at 02:53
  • 1
    Ok, then you have to permit your error page. This is the relevant change in Spring Boot 3: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#dispatch-types – dur Jan 18 '23 at 10:19

1 Answers1

0

Thanks to the comments from @dur, the solution was to add spring.security.filter.dispatcher-types=request to my application.properties file.

larjae
  • 302
  • 3
  • 13