-
Notifications
You must be signed in to change notification settings - Fork 40.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error page causing status change 403 -> 401 with stateless sessions #31852
Comments
Thanks for the report. This is due to Spring Security now filtering every dispatch by default. This commit uses |
Still getting this error |
@iozyigit0 Unfortunately, this is to be expected as the Spring Security team chose not to make the changes that were necessary for Spring Boot to reliably and robustly improve things in this area. If you disagree with this decision, please raise it with them. |
Newly moving to
3.0.0-M4
fromM3
with more-or-less default setup the error page is throwing a 401 and obscuring the original error when using stateless sessions (and basic auth?)I recall seeing some bugs in this area, among them #29564 and #28953, which might be related -- but seems like there are lots of scenarios and lots of changes in this area on both the security and boot side. Basically the error page invocation loses the authentication status of the original request.
Reproduction is here now: https://github.com/jeffbswope/null-servletcontext-errorpagefilter
(Re-using repo from old reproduction, disregard the name.)
If you disable the
SessionCreationPolicy.NEVER
setting, the tests pass and things seem to work.Making
/error
permit all also "fixes" the problem but I don't think that's necessarily recommended.Notable logs from hitting the page without the right role:
The text was updated successfully, but these errors were encountered: