The FilterSecurityInterceptor and AuthorizationFilter now apply to every request by default.
This led to a problem from the Spring Boot's perspective:
Consider the following configuration:
@Bean
SecurityFilterChain appSecurity(HttpSecurity http) {
http.authorizeHttpRequests(requests -> requests
.antMatchers("/public/**").permitAll()
.anyRequest().authenticated()
);
return http.build();
}If a request is made to GET /public/notfound with no credentials, then we expect a 404 - Not Found. Instead, Spring Boot will handle the exception and forward the request to /error with DispatcherType.ERROR. The /error endpoint is protected, an AuthenticationException is thrown and ExceptionTranslationFilter transforms it to a 401 - Unauthorized.
We should consider adding an option to ExceptionTranslationFilter that configures it to swallow the Spring Security exceptions from specified DispatcherTypes. Something like:
@Bean
SecurityFilterChain appSecurity(HttpSecurity http) {
...
http.exceptionHandling(exception -> exception
.swallowExceptionsForDispatcherTypes(List.of(DispatcherType.ERROR))
);
return http.build();
}This way we keep the original response status code but apply all the authorization rules to that endpoint.
See:
The
FilterSecurityInterceptorandAuthorizationFilternow apply to every request by default.This led to a problem from the Spring Boot's perspective:
Consider the following configuration:
If a request is made to
GET /public/notfoundwith no credentials, then we expect a404 - Not Found. Instead, Spring Boot will handle the exception and forward the request to/errorwithDispatcherType.ERROR. The/errorendpoint is protected, anAuthenticationExceptionis thrown andExceptionTranslationFiltertransforms it to a401 - Unauthorized.We should consider adding an option to
ExceptionTranslationFilterthat configures it to swallow the Spring Security exceptions from specifiedDispatcherTypes. Something like:This way we keep the original response status code but apply all the authorization rules to that endpoint.
See: