problem-spring-web icon indicating copy to clipboard operation
problem-spring-web copied to clipboard

Published 20 hours ago verified publisher icon zalando

Spring Security redirect breaks in 0.27.0

Open piefel opened this issue 3 years ago • 4 comments

When switching from 0.26.2 to 0.27.0, the behaviour of my Spring Boot app changed: Instead of getting 302 redirects I suddenly get 500 or 200.

Description

I have a Spring Boot web app using form-based login, and unauthenticated accesses to endpoints should result in 302 Found responses with a redirect to /login. Worked great. I use the simplest possible problem config:

@ControllerAdvice
class ExceptionHandling : ProblemHandling

(Yeah, that’s Kotlin.)

When I switched to org.zalando:problem-spring-web-starter:0.27.2, things changed. Suddenly, the answer was 500 Internal Server Error with a message of Full authentication is required to access this resource from somewhere deep in Spring Security.

Alternative Problem

Changing the configuration to use the problem library, but without GeneralAdviceTrait:

@ControllerAdvice
class ExceptionHandling :
    HttpAdviceTrait, IOAdviceTrait, NetworkAdviceTrait, RoutingAdviceTrait, ValidationAdviceTrait

Now there are no 500s anymore… But instead I get 200s (with an empty body) for all requests that are supposed to be unauthenticated and redirect.

Your Environment

  • Spring Boot 2.5.5
  • problem-spring-web 0.27.0

piefel avatar Oct 14 '21 14:10 piefel

@aafwu00 Could this be related to #674

whiskeysierra avatar Oct 18 '21 18:10 whiskeysierra

@piefel Could you provide sample code or test code?

aafwu00 avatar Oct 19 '21 01:10 aafwu00

I created a quite minimal project: problem-problem.zip. Gradle wrapper omitted for size.

The attached project, when run, will answer with 500 on /api/you (actually, anything but /api/me and /favicon.ico). Changing the version of problem-spring-web-starter to 0.26.2 in the Gradle file will change that behaviour back to the expected 302 instead.

piefel avatar Oct 21 '21 15:10 piefel

@piefel , Thank you for provide code

Fist of all, when you using problem-spring-web with spring security, ExceptionHandling must be extend both of ProblemHandling and SecurityAdviceTrait. (https://github.com/zalando/problem-spring-web/tree/main/problem-spring-web#security)

I think it not working problem-spring-web with security when using 0.26.2 version. If you want using form login. try call /api/admin(has ADMIN role). This is fix example.problem-problem-0.26.2.zip check files(ExceptionHandling.kt, application.properties, TestUserSecurityConfiguration.kt)

0.27.0 version is changed. Spring security exceptionHandling is force configuired. like this

http.exceptionHandling().authenticationEntryPoint(support).accessDeniedHandler(support);

so if you want disable and you want to configure custom exceptionHandling

  1. exclude autoconfiguration: ProblemSecurityAutoConfiguration(application.properties)
  2. @Import SecurityProblemSupport.class(TestUserSecurityConfiguration.kt)
  3. disableDefaults when extends WebSecurityConfigurerAdapter(TestUserSecurityConfiguration.kt)
  4. and configure custom exceptionHandling(TestUserSecurityConfiguration.kt) here is example: problem-problem-0.27.0.zip

@whiskeysierra, 0.27.0 version has force setting problem(http.exceptionHandling().authenticationEntryPoint(support).accessDeniedHandler(support)). I think to solve this problem that provide property like problem.security.exception-handling.enabled= false. How about your think? or If you have better way. please let me know

aafwu00 avatar Oct 23 '21 03:10 aafwu00