1

I have implemented two endpoints:

  1. /sample -> which return the word 'sample'
  2. /api/v1/current -> which return the word 'current'

And I have configured Spring Security as follows, to permit /api/** if authenticated.

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Autowired
    private ResourceOwnershipFilter filter;

    @Bean
    @Profile({"dev"})
    public SecurityFilterChain configureSecurity(HttpSecurity http) throws Exception {
        return http
                .authorizeHttpRequests(authorize -> authorize
                        .requestMatchers("/swagger-ui/**", "/v3/**").permitAll()
                        .requestMatchers("/api/**").authenticated()
                )
                .csrf().disable()
                .cors().disable()
                .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                .formLogin().disable()
                .httpBasic().disable()
                .addFilterBefore(filter, UsernamePasswordAuthenticationFilter.class)
                .build();
    }
}

I dont understand why requests made to /api/v1/doesnotexists return 403 (Access Denied) instead of 404 (Not Found)?

I can confirm that all requests are authenticated

dur
  • 15,689
  • 25
  • 79
  • 125
whatspoppin
  • 353
  • 4
  • 14
  • Can you share the filter so that people can replicate this? – Neeraj Jan 24 '23 at 02:15
  • Does this answer your question? [Receiving 403 instead of 404 when calling non existing endpoint](https://stackoverflow.com/questions/70054528/receiving-403-instead-of-404-when-calling-non-existing-endpoint) – dur Feb 13 '23 at 21:16

1 Answers1

0

This is expected behaviour to prevent leakage of path info. Have a look at this answer.

John Williams
  • 4,252
  • 2
  • 9
  • 18