Spring Security 6.0 - endpoints only return 200 or 403, any other status code is ignored

Question

I'm trying to configure my Spring Boot Security (with Kotlin), I've got a certain request mapping that doesn't require authentication. The following config works fine as long as the response of my endpoints is 200.

However, if any exception is thrown in the code, it always returns 403 with no message. For example, if a ResponseStatusException with status code 400 is thrown, it still returns 403. Or for example if a request param is missing, it returns 403. Here's my config:

@Configuration
@EnableWebSecurity
class SecurityConfig {
    @Bean
    fun filterChain(http: HttpSecurity): SecurityFilterChain? {
        http.authorizeHttpRequests().requestMatchers("/v1/resource/*").permitAll()
        return http.build()
    }
}

I've tried disabling exception handling with http.exceptionHandling().disable() and I can see the correct status code and error message. However, the problem is that it's returned as HTML.

What am I doing wrong? See logs below:

2023-04-28T16:15:19.858-04:00 DEBUG 145941 --- [o-auto-1-exec-1] .m.m.a.ExceptionHandlerExceptionResolver : Using @ExceptionHandler test.exception.handler.RestResponseEntityExceptionHandler#handleUnhandledException(Exception, WebRequest)
2023-04-28T16:15:19.862-04:00 DEBUG 145941 --- [o-auto-1-exec-1] .w.s.m.a.ResponseStatusExceptionResolver : Resolved [test.exception.NotFoundException: Test error]
2023-04-28T16:15:19.863-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.web.servlet.DispatcherServlet        : Completed 404 NOT_FOUND
2023-04-28T16:15:19.864-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.a.c.c.C.[Tomcat].[localhost]           : Processing ErrorPage[errorCode=0, location=/error]
2023-04-28T16:15:19.868-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
2023-04-28T16:15:19.869-04:00 DEBUG 145941 --- [o-auto-1-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2023-04-28T16:15:19.870-04:00 DEBUG 145941 --- [o-auto-1-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2023-04-28T16:15:19.873-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2023-04-28T16:15:19.874-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint     : Pre-authenticated entry point called. Rejecting access
2023-04-28T16:15:19.874-04:00 DEBUG 145941 --- [o-auto-1-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet]    :  Disabling the response for further output
2023-04-28T16:15:19.876-04:00 DEBUG 145941 --- [           main] org.apache.http.wire                     :  << "HTTP/1.1 403 [\r][\n]"

before asking someone to elaborate you should use google https://stackoverflow.com/a/47729991/1840146 all you need to google was ”how do i enable spring security debug logging” and there is an entire chapter on logging in the spring boot documentation https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#features.logging.log-levels if you dont understand an answer someone gives you means that you have done too little research. You dont know how to do it because you didnt read the most obvious source. The chapter that says ”logging” in the spring boot docs. — Toerktumlare, Mar 31 '23 at 10:13
Sorry if I upset you, I just thought your answer was vague. I was actually talking about CORS and CSRF. Why would it only affect exceptions and not 200 responses too? — Daniel, Mar 31 '23 at 10:48
If you read about CORS, how it works what its purpose is etc. You will understand that its not 200 or exceptions. Its dependent on GET or POST or any other type of request that mutates the state on the server. I can’t teach you CORS in some comment, read the MDN docs https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS and we get about 5 questions per day about CORS, CSRF and people not posting their debug logs when asking here. — Toerktumlare, Mar 31 '23 at 11:45
Im not upset im pointing out that you are not following what is expected from you https://meta.stackoverflow.com/questions/261592/how-much-research-effort-is-expected-of-stack-overflow-users and https://stackoverflow.com/help/how-to-ask — Toerktumlare, Mar 31 '23 at 11:47
I've disabled both CORS and CSRF but the issue is still happening, so it's not CORS and/or CSRF. I think the problem is with exception handling. — Daniel, Mar 31 '23 at 14:56
well i and many others dont speculate, you have not posted a single row of debug logging, and the snippet of code you have posted is basically "nothing". Im voting to close, lack of debugging information. Post FULL debug logs, from start up and your request. Your exact type of request and what it looks like if you expect any form of help. This is completely unreproduccible, reada the links i posted in how to ask a proper question. Good luck — Toerktumlare, Mar 31 '23 at 15:03
Why would you vote to close? This is a Q&A platform and I think I asked a perfectly reasonable question. And if someone knows the answer it will help others. Why does it bother you if it stays open? I think you’re taking this a bit too seriously, just relax. — Daniel, Mar 31 '23 at 15:09
I have already told you why, because there is no debug information given, it is not reproducible, once again, please read the links i have posted https://stackoverflow.com/help/how-to-ask and yes SO is a Q&A site, which meanas the question should be very clear, but as you can see there has been over 10 comments and you have still not posted any debug information. I tried helping you, for free, but you failed to produce any of the information i asked for. So you have only taken up my time. Good luck — Toerktumlare, Mar 31 '23 at 15:12
read your logs, that is not debug logs `2023-03-31T16:20:29.765+01:00 INFO` se that it says `INFO` and `WARN` but there are no `DEBUG` statements. You didn't read the link i posted before on how to actually enable debug logs in spring security... But if you read the logs, you ccan see that you need to also let requests through to `/error` so add that to the request matcher. Why you need to add that is documented here https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#web.servlet.spring-mvc.error-handling — Toerktumlare, Mar 31 '23 at 16:13

score -1 · Accepted Answer · answered Apr 02 '23 at 15:46

In the end, I couldn't fix it via the Spring Security configuration. What I did instead was write my own custom exception handlers:

@ControllerAdvice
@RestController
class CustomExceptionHandlerResolver {

    @ExceptionHandler(ResponseStatusException::class)
    fun handleResponseStatusException(
        exception: ResponseStatusException,
        webRequest: WebRequest,
    ): ResponseEntity<ExceptionResponse>? {
        val exceptionResponse = ExceptionResponse(Date(), exception.reason, webRequest.getDescription(false))
        return ResponseEntity<ExceptionResponse>(exceptionResponse, exception.statusCode)
    }

    @ExceptionHandler(MissingServletRequestParameterException::class)
    fun handleRequestParameterException(
        exception: MissingServletRequestParameterException,
        webRequest: WebRequest,
    ): ResponseEntity<ExceptionResponse>? {
        val exceptionResponse = ExceptionResponse(Date(), exception.message, webRequest.getDescription(false))
        return ResponseEntity<ExceptionResponse>(exceptionResponse, HttpStatus.BAD_REQUEST)
    }
}

In the code above, ExceptionResponse is just a data class (POJO):

data class ExceptionResponse(
    val date: Date,
    val message: String?,
    val description: String,
)

Spring Security 6.0 - endpoints only return 200 or 403, any other status code is ignored

1 Answers1