Skip error page security filter for non-error dispatch type

Update `ErrorPageSecurityFilter` to defensively check that the `DispatcherType` is `ERROR`. Although this check isn't necessary for regular applications, it is needed if MockMvc is being used. Fixes gh-28759
spring-projects · Nov 24, 2021 · f621937 · f621937
1 parent 4eed637
commit f621937
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/...ot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java b/...ot/src/main/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilter.java
@@ -18,6 +18,7 @@
 
 import java.io.IOException;
 
+import javax.servlet.DispatcherType;
 import javax.servlet.FilterChain;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
@@ -54,10 +55,12 @@ public ErrorPageSecurityFilter(ApplicationContext context) {
 	@Override
 	public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
 			throws IOException, ServletException {
-		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-		if (!getPrivilegeEvaluator().isAllowed(request.getRequestURI(), authentication)) {
-			sendError(request, response);
-			return;
+		if (DispatcherType.ERROR.equals(request.getDispatcherType())) {
+			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+			if (!getPrivilegeEvaluator().isAllowed(request.getRequestURI(), authentication)) {
+				sendError(request, response);
+				return;
+			}
 		}
 		chain.doFilter(request, response);
 	}

diff --git a/...c/test/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilterTests.java b/...c/test/java/org/springframework/boot/web/servlet/filter/ErrorPageSecurityFilterTests.java
@@ -16,6 +16,7 @@
 
 package org.springframework.boot.web.servlet.filter;
 
+import javax.servlet.DispatcherType;
 import javax.servlet.FilterChain;
 import javax.servlet.RequestDispatcher;
 
@@ -58,6 +59,7 @@ class ErrorPageSecurityFilterTests {
 
 	@BeforeEach
 	void setup() {
+		this.request.setDispatcherType(DispatcherType.ERROR);
 		given(this.context.getBean(WebInvocationPrivilegeEvaluator.class)).willReturn(this.privilegeEvaluator);
 		this.securityFilter = new ErrorPageSecurityFilter(this.context);
 	}
@@ -95,4 +97,13 @@ void whenPrivilegeEvaluatorIsNotPresentAccessIsAllowed() throws Exception {
 		verify(this.filterChain).doFilter(this.request, this.response);
 	}
 
+	@Test
+	void ignorePrivilegeEvaluationForNonErrorDispatchType() throws Exception {
+		this.request.setDispatcherType(DispatcherType.REQUEST);
+		given(this.privilegeEvaluator.isAllowed(anyString(), any())).willReturn(false);
+		this.securityFilter.doFilter(this.request, this.response, this.filterChain);
+		verifyNoInteractions(this.privilegeEvaluator);
+		verify(this.filterChain).doFilter(this.request, this.response);
+	}
+
 }