Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error response body does not match Content-Type #12450

Closed
osiegmar opened this issue Dec 23, 2022 · 8 comments
Closed

Error response body does not match Content-Type #12450

osiegmar opened this issue Dec 23, 2022 · 8 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) status: declined A suggestion or change that we don't feel we should currently apply

Comments

@osiegmar
Copy link

Describe the bug
In an application (using Spring Boot 3.0.1) the response body does not match the Content-Type header for a 403 Forbidden response if the request contains the header Accept: application/problem+json, application/json:

Content-Type: application/problem+json

{"timestamp":"2022-12-23T07:44:25.247+00:00","status":403,"error":"Forbidden","path":"/secret"}

Note: I'm using the shown mime type order because of spring-projects/spring-framework#29588

To Reproduce

  • Setup an application with
    • basic auth configuration and
    • an endpoint that needs specific privileges (e.g. @Secured("ROLE_ADMIN"))
  • Send a request to that endpoint
    • with a valid user/auth but insufficient privileges and
    • specify a request header Accept: application/problem+json, application/json

Expected behavior

  • The Content-Type response header must reflect the actual type of the content
  • When Problem Details are enabled, I'd expect that all errors (including 403 Forbidden) are returned as a Problem Detail response (RFC 7807). Also note that 401 Unauthorized does not contain a response body at all – I don't know if this is intended or another bug.

Sample

@SpringBootApplication
@RestController
@EnableWebSecurity
@EnableMethodSecurity
public class Application {

    @Bean
    public UserDetailsService userDetailsService() {
        return new InMemoryUserDetailsManager(User.withDefaultPasswordEncoder()
            .username("user").password("password").roles("USER").build());
    }

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    @GetMapping("/secret")
    public String secret() {
        return "Secret";
    }

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

}

Request:

curl -i http://localhost:8080/secret \
     -u "user:password" \
     -H "Accept: application/problem+json, application/json"
@osiegmar osiegmar added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 23, 2022
@osiegmar
Copy link
Author

Maybe related: spring-projects/spring-framework#29626

@singhbaljit
Copy link
Contributor

I think this is intentional, but I would like this feature as well. I'm using OAuth2, and it would be great for the consistency our APIs to have 401/403 return OAuth2Error mapped as ProblemDetail, instead of the WWW-Authenticate header.

@singhbaljit
Copy link
Contributor

Perhaps AccessDeniedException, AuthenticationException, etc. can extend ErrorResponseException.

@jzheaux
Copy link
Contributor

jzheaux commented Jan 5, 2023

@osiegmar, there's something I'm not quite understanding.

When I create the specified application and run the specified command, this is the result I get:

HTTP/1.1 403 
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Connection: keep-alive
Content-Type: application/problem+json
Date: Thu, 05 Jan 2023 17:25:25 GMT
Expires: 0
Keep-Alive: timeout=60
Pragma: no-cache
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0

{
    "error": "Forbidden",
    "path": "/secret",
    "status": 403,
    "timestamp": "2023-01-05T17:25:25.723+00:00"
}

It seems like a reasonable result, what am I missing?

Second, the response is created by Spring Boot's ErrorController, so it may be better to file an issue there.

@jzheaux jzheaux self-assigned this Jan 5, 2023
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 5, 2023
@singhbaljit
Copy link
Contributor

@jzheaux can you please share your configuration? I wonder if this is related to spring-projects/spring-boot#32212.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 5, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Jan 5, 2023

@singhbaljit I copied the code posted in the issue.

Can someone please post a minimal sample (for example, a GitHub repo) that reproduces the issue?

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Jan 5, 2023
@osiegmar
Copy link
Author

osiegmar commented Jan 5, 2023

@jzheaux You successfully reproduced the issue. The Content-Type response header has a value of application/problem+json but the response body is not a problem detail document as defined by RFC 7807. Either the Content-Type or the body is wrong and I'm unsure if it is caused by Spring Framework, Security or Boot.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 5, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Jan 6, 2023

I see, thanks for the clarification, @osiegmar.

The page is generated by Spring Boot, so it would be up to them to do the content negotiation. I'm not sure if Spring Boot supports RFC 7807.

I think it's clear enough now to close the issue, but if I've misunderstood and there is something more for Spring Security to do, we can reopen.

@jzheaux jzheaux closed this as completed Jan 6, 2023
@jzheaux jzheaux added status: declined A suggestion or change that we don't feel we should currently apply and removed status: feedback-provided Feedback has been provided labels Jan 6, 2023
@osiegmar osiegmar mentioned this issue Jan 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@osiegmar @jzheaux @spring-projects-issues @singhbaljit