ResponseStatusException no longer returning response body in 2.6.2 using Spring Security when application has a custom context path

[BATON35]

Referring to bug #28953 the problem has not been solved.

No status in response body for 401.
Example project:
https://github.com/BATON35/spring-boot-custom-error-handling.git

Response from postman for springBoot 2.6.2:

Response from postman for springBoot 2.5.x

[wilkinsona]

@BATON35 The repository to which you've linked doesn't appear to reproduce the problem you've described. For example, as far as I can tell, it doesn't use Spring Security. Can you please clarify?

[BATON35]

@wilkinsona I am sorry. I forgot to update the repository. Now you can reproduce the problem.

[philwebb]

I'm unable to replicate the problem with the sample. If I change the parent POM to <version>2.6.2</version> and remove the version number from spring-boot-starter-security I get the following:

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.6.2)
...

$ curl http://localhost:8086/demo-controller/test1
<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1></body></html>

@BATON35 Can you please update your sample to use Spring Boot 2.6.2 and provide detailed instructions on how we can replicate the problem.

[lgraf]

@philwebb @wilkinsona I see the same behaviour in our application for HTTP 401/403 errors, even if i add permitAll() to /error in my security configuration.

I put a small example together where the problem can be reproduced: https://github.com/lgraf/error-page-example

The example contains two tests that call a secured rest endpoint and can be used to reproduce the issue.

1. Call the endpoint without authentication (401 case)

2. Call the endpoint with an authenticated user without the required permission/role (403 case)

The security configuration contains an explicit permitAll() to /error.

The tests fail with spring-boot 2.6, when i change the spring-boot version back to 2.5 the test cases pass.

---

Additional observations

As noted in a comment of #28953.

The ErrorPageSecurityFilter use HttpServletRequest.getRequestURI() as uri parameter for the WebInvocationPrivilegeEvaluator.isAllowed(uri, authentication) method, which contains the context path. The JavaDoc notes that the context-path should be excluded in the uri parameter

Not sure if it the root cause of the issue, but if i remove the context-path configuration for the application, the test passes also with spring-boot 2.6.2 (there is a commented-out property configuration to remove the context-path configuration in the test class).

[datagitlies]

This issue is still not fully resolved. The good new is that 3460c24 makes adding .antMatchers("/error").permitAll() work (which is an improvement), but the issue remains if an application uses .antMatchers("/error").authenticated() see my comment in #28953

Why is the authentication in the isAllowed(..) method returning an instance of AnonymousAuthenticationToken when the user is authenticated? It's like the authentication from the SecurityContextHolder is being wiped out somehow before reaching this method or it's not using the same security context as the original request. Any thoughts?

[wilkinsona]

@datagitlies Sorry that you're still having problems here. It's hard to say what's happening without seeing a complete example of the problem that you're facing. There are some forthcoming changes in Spring Security that may help here. I tried to describe them in this issue comment. I can't be certain that they'll help as I don't feel that I fully understand your problem. Perhaps you can try the Spring Security snapshot and, if that doesn't help, create a new issue with a minimal sample that reproduces your problem.

[datagitlies]

Thanks @wilkinsona - I tried using spring-security 5.6.2-SNAPSHOT but it was the same result for .antMatchers("/error").authenticated() (i.e. no response body for an authenticated user) ... I'll see if I can get a minimal sample project that reproduces my problem. If I get there, I'll just open a new issue with those details.

[mbhave]

@datagitlies My guess is that you're using a STATELESS session policy either by setting it explicitly or via a @Transient authentication. In that case, the Authentication is not available in the SecurityContextHolder once the error dispatch happens. A new issue issue with a sample that reproduces the issue would be great.

[datagitlies]

@mbhave see #29655 which is exactly what you stated above. Is STATELESS no longer supported for this scenario?

[Akshay45xo]

@BATON35 hey how to remove the path from that exception message.