-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not all Spring AuthenticationException(s) map to a 401 status code #292
Comments
Good point. I wasn't aware of that. |
@DBlaesing Is there any security concern with that? Are we running a risk of exposing too much information to an attacker? I was thinking of this, a bit:
|
Now that we internally agreed that this is the right thing to do, I'm struggling to properly cause an exception of this type in my test. |
Sorry have been out of action for a long time. The changes look about right although for some reason I am not able to open the project in IntelliJ (Ultimate). Also the Webflux test for the SecurityTrait is failing, albeit should be working. |
Has anyone an idea to solve that? Otherwise I'm considering closing this without fixing. |
@whiskeysierra I did some comments in 78f6c59 . Hope that helps |
Expected behaviour comment: Reding the javadocs, I believe InternalAuthenticationServiceException should result in 500, and AuthenticationServiceException is more 503. |
I managed to create a reproducible example for this error. In this case spring throws a |
Thanks to @mreilaender! Got it working with your hint! Please update in documentation that only one ControllerAdvice should be used. |
Description
The AuthenticationAdviceTrait.java#L26 creates a 401 for ALL AuthenticationException(s) but the type hierarchy suggests that there can also be 500 type errors, namely
AuthenticationServiceException
and its subtypeInternalAuthenticationServiceException
.Expected Behavior
A thrown
AuthenticationServiceException
should result in a 500 to the caller and log an error message.Actual Behavior
A 401 is returned with a warning log written.
Possible Fix
Steps to Reproduce
observation while reading the code - got caught out on this issue a while back myself
Your Environment
0.23.0 using web (not flux)
The text was updated successfully, but these errors were encountered: