You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After updating from 5.6.1 to 5.6.2 (by updating from Boot 2.6.3 to 2.6.4), the Boot /error page isn't accessible anymore in certain cases.
Here's a sample app with an integration test that showcases the issue: spring-boot-errorpage-security-issue.zip
I reported this as a Boot issue first (as I wasn't sure what the root problem is). Andy Wilkinson had a look and concluded that this is related to Spring Security rather than the way that Boot sets up its /error page.
There are workarounds, like explicitly permitting access to /error or using authorizeRequests instead of authorizeHttpRequests, but without additional info I do expect this to be a regression bug.
The text was updated successfully, but these errors were encountered:
Hey, I was wondering if you could at least confirm that this is considered a bug. Also, not sure if you saw Andy's comment in the Boot-issue, but when you use authorizeRequests instead of authorizeHttpRequests the behavior is as expected.
You can see in the debug logs the following: Abstaining since did not find matching RequestMatcher, and there was a bug with the AuthorizationManagerWebInvocationPrivilegeEvaluator where it denied access if there was no decision, also known as AuthorizationDecision == null.
When using authorizeRequests() it works because it uses the DefaultWebInvocationPrivilegeEvaluator.
Can you please try the version 5.6.3-SNAPSHOT of Spring Security and confirm if it works?
After updating from 5.6.1 to 5.6.2 (by updating from Boot 2.6.3 to 2.6.4), the Boot /error page isn't accessible anymore in certain cases.
Here's a sample app with an integration test that showcases the issue:
spring-boot-errorpage-security-issue.zip
I reported this as a Boot issue first (as I wasn't sure what the root problem is). Andy Wilkinson had a look and concluded that this is related to Spring Security rather than the way that Boot sets up its /error page.
There are workarounds, like explicitly permitting access to /error or using
authorizeRequests
instead ofauthorizeHttpRequests
, but without additional info I do expect this to be a regression bug.The text was updated successfully, but these errors were encountered: