-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
401 and 403 HTTP statuses never return response body #32212
Comments
Thanks for the sample. I'm not sure what the fake decoder is intended for but I don't think it's doing what it's supposed to do. If I hit Once access is denied to the controller, the difference in behavior for jwt and basic auth is due to the way Spring security's
However, it looks like the issue you're reporting is after Spring Security has been able to successfully authenticate a user. Can you modify the sample so that it actually does that with jwt authentication? |
You are right, sorry, I messed the sample up somehow. Please try the new sample attached. The folder contains a Postman collection with which you can:
To reproduce:
This means that even though the user is authenticated 401 or 403 don't result in sending an error body. |
I wasn't able to run your sample (I'm not too familiar with how postman collections work). But I think what is missing is the You can add Please let us know if that fixes the problem for you. We have an open issue for documenting this #30761. |
@mbhave You don't need to use Postman to test this, I just thought it would be helpful, but you can use whatever you like. Here is an example with curl:
curl --request POST 'https://dev-arg0-cet.us.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: did=s%3Av0%3A746b8e10-30d0-11ed-a1d5-8f38b5a150f7.ozVaQs3tQb6tEeTOaueXkG2bGcHZYXxNZtGEeDxyzvA; did_compat=s%3Av0%3A746b8e10-30d0-11ed-a1d5-8f38b5a150f7.ozVaQs3tQb6tEeTOaueXkG2bGcHZYXxNZtGEeDxyzvA' \
--data-urlencode 'client_id=KaGx9BUOBQ692FG1MLgRDtLUIcI2FMUs' \
--data-urlencode 'client_secret=HCpWio9nwoLopX0AnVFGksdTmULrH1COqEGCWMQA08qz1IedqkiASRBcjaRhUdln' \
--data-urlencode 'audience=https://test.spring/api' \
--data-urlencode 'grant_type=client_credentials' to get the token. curl --request GET 'http://localhost:8080/test/402' --header 'Authorization: Bearer <the access token value copied in previous step>' You will see that the request to I will try your suggestion when I'm at my computer, thanks. |
Yes, that was it, the repository fixed the problem. Thank you for looking into this. I remember reading about the repository in the docs before but I didn't understand how this would affect me and why I would need it, so I never configured it. Maybe some examples about why one would need it would be helpful? |
Thanks for letting us know that it worked for you @wujek-srujek. We have an open issue to add documentation for this #30761. |
(I found similar issues but in my case even adding
authorize("/error", authentication)
or evenauthorize("/error", permitAll)
doesn't help. I have no explicit session policy configuration.)When using Spring Boot 2.7.3 with Spring Security Resource Server JWT, any exception that is eventually mapped to 401 or 403, results with an empty response body (I'm using the default
ErrorAttributes
from Spring Boot). I remember it working differently some time ago, but cannot nail the version that changed this.What I would like the behavior to be: when the user is authenticated I would like to send 401 or 403 with request bodies. Is this possible?
Please see the attached example, run it with
./mvnw spring-boot:run
. (I'm using a fake JWT decoder so that the sample doesn't require real tokens, it doesn't influence the behavior.) When you callhttp://localhost:8080/test/401
(or 403) you will get the response without the body, but using any other status does return the body.Switch to basic auth (remember to disable the
tokenDecoder
@Bean
) and it works fine.spring_forbidden_test.zip
The text was updated successfully, but these errors were encountered: