-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The error message of a ForbiddenException
is not returned in body but body is empty
#1206
Comments
- TestAPi contains now a simple check for http status failures containing a text - TestAPI contains now also a possibility to check for http status failures + expected JSON output - Json check does ignore ordering and formatting but relies only on content - use new TestAPI methods in some integration tests now - problem shows up now (build will break here)
- Improved and simplified TestAPI - Improved status code exception validator
With latest commit every http status check by TestAPI does automatically check per default
There are some special additional JSON specific checks available as well. |
Next stepIdentify exactly which spring boot version is the reason for this behaviour. Now I checked
|
At the official Spring Boot release notes at https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.6-Release-Notes I did not find any information about the new behavior. After doing some resarch, I found some github issues explaining that the Reading spring-projects/spring-boot#29655 it became also clear, that the information about authentication in a stateless http session is not available for spring security at this point of inspection. And this is the reason why we have currently the correct HTTP status but no JSON output on (any) errors - even when correct authenticated. |
Inside spring-projects/spring-security#10918 they mentioned The issue was closed for After checking the implementation and thinking about the impact and the processes, we decided, that it is good way to always permit here the Reason by an example: When we would not use |
Situation
When a project is deactivated (via project access level) , a
ForbiddenException
is thrown and the caller gets a403 Forbidden
as expected, but the body is empty instead of the given exception error message.Wanted
The message of the exception must be available inside the body / the body may not be empty
Analyze
There is something really wrong here. The exception handling is no longer working as expected (and designed for SecHub).
What happens in log files
After reading some logs we have the situation that the forbidden exception was logged correctly with
HTTP status code: 403,
JSON:
After a dedicated timestamp we got
HTTP status code: 403,
JSON:
so body is empty.
Which version does it correctly, which wrong?
After further log evaluation it became clear that
Which changes could be relevant?
v0.29.0-server
we switched from spring boot2.5.8
to2.6.2
v0.29.0-server
orv0.29.1-server
So it seems to be the spring boot update.
Solution
The text was updated successfully, but these errors were encountered: