Browser console error shown when secured resource requested with no rights

[mshabarov]

Description of the bug

In Spring-boot based applications, once the secured resource is requested from the server by non-authorised user, the browser console error message is logged:

[SEVERE] http://localhost:8888/admin-only/secret.txt?continue - Failed to load resource: the server responded with a status of 403 ()

This is probably an expected behaviour (needs to be checked with docs) and the behaviour changed after upgrading to Sping-boot 3 / Spring 6.

Expected behavior

No browser console errors.

Minimal reproducible example

See integration test AppViewIT::access_restricted_to_admin, it fails with Flow 24.0: it checks that in the end of each test, browser console has no errors. When I tested manually, I saw that the error appears for non-authorised user, but not for authorised user (when I do the same steps manually).

Versions

• Vaadin / Flow version: 24.0-SNAPSHOT
• Java version: 17
• OS version: Mac
• Browser version (if applicable): Chrome
• Application Server (if applicable): Spring-boot 3
• IDE (if applicable): Intellij Idea

[Artur-]

The code that ignores the error is here https://github.com/vaadin/flow/blob/master/flow-tests/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java#L48

The difference is that now there seems to be a ?continue query parameter on the URL

[Artur-]

Probably introduced by https://github.com/spring-projects/spring-security/commit/f84f08c4b9da4f326de1fed2772ae5e582d7cdf7 / https://github.com/spring-projects/spring-security/issues/11757 which is not very descriptive

[mshabarov]

The difference is that now there seems to be a ?continue query parameter on the URL

Indeed, I missed that, thanks!