ErrorPageSecurityFilter does not honor use of multiple WebSecurityConfigurerAdapter's #28818
Labels
for: external-project
For an external project and not something we can fix
status: duplicate
A duplicate of another issue
Background
ErrorPageSecurityFilter
was recently added as a step to solve obscure cases where the/error
path was allowed in some cases where it shouldn't be allowed. TheErrorPageSecurityFilter
is installed as a filter outside Spring Security's filter chain. The purpose of the filter is to processERROR
dispatches and to determine whether the/error
path is allowed given the current authentication. If it is, it should return the intended error page, otherwise, it should only return the status but no content.This problem was raised in:
The filter was added to Spring Boot 2.6.0 in:
Previous problems
1. Inheriting from
HttpFilter
instead ofFilter
The
ErrorPageSecurityFilter
inherits fromHttpFilter
instead ofFilter
which causesClassDefNotFound
exception in some cases:2.
MockMvc
fails to exclude the filter for non-ERROR
dispatchesThis problem was raised and discussed in:
The problem is that Spring
ApplicationFilterChain
takes into account whether the current request is anERROR
dispatch or not, and adapts the filter chain to use accordingly, effectively excluding the newErrorPageSecurityFilter
for non-ERROR
dispatches. TheMockFilterChain
used byMockMvc
ignores dispatch type and so includes theErrorPageSecurityFilter
in all dispatches which may cause problems, especially in connection to the bug reported in this issue.A ticket to fix this was added here:
A temporary fix in which the filter itself checks whether the current dispatch is an
ERROR
or not was devised for release 2.6.1 here:Bug
Previous problem 2 is also related to the bug reported in this issue and the fact that both reporters have problems with multiple
WebSecurityConfigurerAdapters
is indicative of this. The problem is that theErrorPageSecurityFilter
relies on beanWebInvocationPrivilegeEvaluator
, normally instantiated as aDefaultWebInvocationPrivilegeEvaluator
which only takes the last processedWebSecurityConfigurerAdapter
into account. This results in many times in thatErrorPageSecurityFilter
makes the wrong decision about the access rights to the/error
path. This happens typically with a configuration like:... where the
ErrorPageSecurityFilter
would always deny access to the/error
path despite a security config which grants access to the/error
path to anyone.Since this is ultimately a problem in Spring Security a ticket about this has been filed there:
WebInvocationPrivilegeEvaluator
Bean should support multipleSecurityFilterChain
s spring-security#10554This ticket is only for reference and should be closed at the same time as the above ticket is closed. For more information, check that ticket.
The text was updated successfully, but these errors were encountered: