I wish that my spring web application would simply return status code 403 UNAUTHORIZED instead of redirecting to /login when user is trying to access resource without being logged in or having the correct authorities.
I currently have my spring security set up with oauth2 client login, but I believe it has the same behavior with basic login as well.
@Override
protected void configure(HttpSecurity http) throws Exception
{
http.csrf().disable()
.authorizeRequests()
.antMatchers("/allowed").permitAll()
.anyRequest()
.authenticated()
.and()
.oauth2Login(this::configureOauthLogin) // sets up custom user services
.exceptionHandling()
.accessDeniedHandler((request, response, accessDeniedException) -> {
response.setStatus(HttpStatus.UNAUTHORIZED.value());
});
}
I've tried dealing with it with providing accessDeniedHandler but I don't see that it changes anything as this handler is never actually triggered.
TLDR
Make spring throw 403 instead of 302 on unauthorized requests.
EDIT
Here's a dump of my filter chain
filters = {ArrayList@6668} size = 14
0 = {WebAsyncManagerIntegrationFilter@6635}
1 = {SecurityContextPersistenceFilter@6634}
2 = {HeaderWriterFilter@6633}
3 = {LogoutFilter@6632}
4 = {OAuth2AuthorizationRequestRedirectFilter@6631}
5 = {OAuth2LoginAuthenticationFilter@6630}
6 = {DefaultLoginPageGeneratingFilter@6629}
7 = {DefaultLogoutPageGeneratingFilter@6628}
8 = {RequestCacheAwareFilter@6627}
9 = {SecurityContextHolderAwareRequestFilter@6626}
10 = {AnonymousAuthenticationFilter@6625}
11 = {SessionManagementFilter@6624}
12 = {ExceptionTranslationFilter@6623}
13 = {FilterSecurityInterceptor@6622}
I figured it out, turns out this flow of controll is handled by authenticationEntryPoint in the security config. The following code provides the desired behavior:
http
.exceptionHandling()
.authenticationEntryPoint(new Http403ForbiddenEntryPoint())
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments