Error page causing status change 403 -> 401 with stateless sessions

[jeffbswope]

Newly moving to 3.0.0-M4 from M3 with more-or-less default setup the error page is throwing a 401 and obscuring the original error when using stateless sessions (and basic auth?)

I recall seeing some bugs in this area, among them #29564 and #28953, which might be related -- but seems like there are lots of scenarios and lots of changes in this area on both the security and boot side. Basically the error page invocation loses the authentication status of the original request.

Reproduction is here now: https://github.com/jeffbswope/null-servletcontext-errorpagefilter

(Re-using repo from old reproduction, disregard the name.)

If you disable the SessionCreationPolicy.NEVER setting, the tests pass and things seem to work.

Making /error permit all also "fixes" the problem but I don't think that's necessarily recommended.

Notable logs from hitting the page without the right role:

2022-07-23T15:59:46.210-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /fobs
2022-07-23T15:59:46.373-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.a.dao.DaoAuthenticationProvider    : Authenticated user
2022-07-23T15:59:46.373-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter  : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=other, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_OTHER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_OTHER]]
2022-07-23T15:59:46.373-05:00 DEBUG 27068 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : The HttpSession is currently null, and the HttpSessionSecurityContextRepository is prohibited from creating an HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request
2022-07-23T15:59:46.373-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorized filter invocation [GET /fobs] with attributes [authenticated]
2022-07-23T15:59:46.373-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Secured GET /fobs
2022-07-23T15:59:46.373-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : GET "/fobs", parameters={}
2022-07-23T15:59:46.389-05:00 DEBUG 27068 --- [nio-8080-exec-1] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.example.nullservletcontexterrorpagefilter.NullServletcontextErrorpagefilterApplication$FobController#getFobs()
2022-07-23T15:59:46.389-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.a.i.a.MethodSecurityInterceptor    : Failed to authorize ReflectiveMethodInvocation: public java.util.List com.example.nullservletcontexterrorpagefilter.NullServletcontextErrorpagefilterApplication$FobController.getFobs(); target is of class [com.example.nullservletcontexterrorpagefilter.NullServletcontextErrorpagefilterApplication$FobController] with attributes [[authorize: 'hasRole('FOB_MANAGER')', filter: 'null', filterTarget: 'null']]
2022-07-23T15:59:46.389-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet        : Failed to complete request: org.springframework.security.access.AccessDeniedException: Access is denied
2022-07-23T15:59:46.389-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.access.AccessDeniedHandlerImpl   : Responding with 403 status code
2022-07-23T15:59:46.404-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
2022-07-23T15:59:46.404-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2022-07-23T15:59:46.404-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2022-07-23T15:59:46.404-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [GET /error] with attributes [authenticated]
2022-07-23T15:59:46.404-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2022-07-23T15:59:46.427-05:00 DEBUG 27068 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8080/error to session
2022-07-23T15:59:46.427-05:00 DEBUG 27068 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
2022-07-23T15:59:46.427-05:00 DEBUG 27068 --- [nio-8080-exec-1] s.w.a.DelegatingAuthenticationEntryPoint : No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@2a03d56

[wilkinsona]

Thanks for the report. This is due to Spring Security now filtering every dispatch by default. This commit uses filterSecurityInterceptorOncePerRequest(true) to adapt to this change by restoring the previous behaviour. We're working with the Security team at the moment to improve this. #31703 is tracking any changes that may be necessary in Spring Boot and spring-projects/spring-security#10919 is tracking things on the Spring Security side.

[iozyigit0]

Still getting this error
org.springframework.security.authentication.BadCredentialsException: Bad credentials returns 403
making "/error permit all" also not fixing it.
spring-boot-starter-parent =3.0.5

[wilkinsona]

@iozyigit0 Unfortunately, this is to be expected as the Spring Security team chose not to make the changes that were necessary for Spring Boot to reliably and robustly improve things in this area. If you disagree with this decision, please raise it with them.