Will be great to become 401 respnce by default .
now logic is brocken
https://github.com/spring-projects/spring-boot/issues/10715
Arguments: Developer Burden: Developers now need to implement their own solutions for previously handled features, which can lead to duplicated effort across the community. Compliance and Consistency: Ensuring compliance with standards like HTTP can be more error-prone if developers have to implement these features themselves. This can lead to inconsistencies and mistakes, especially for less experienced developers.
Comment From: wilkinsona
Spring Boot supports 401 responses through Spring Security. Any request to an endpoint that requires authorization will return a 401 response when not authorized.
Comment From: ybaidiuk
in my case no, so i have to add : .exceptionHandling(handler -> handler.authenticationEntryPoint((request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage())));
without it, I will get 403 Forbidden.
Comment From: ybaidiuk
My request passing through JwtAuthFilter without any changes, and default filter should see that user without auth try to reach protected url and give back 401, but i get 403 instead.
Comment From: ybaidiuk
i fixed issue by adding 2 exaption handler which is annoying, it should be out of the box.
.exceptionHandling(a -> a.accessDeniedHandler((request, response, accessDeniedException) -> response.setStatus(403)))
.exceptionHandling(handler -> handler.authenticationEntryPoint((request, response, authException) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage())));
Comment From: wilkinsona
AFAIK, neither of those should be necessary. I can't tell for certain as you haven't provided a complete example of your configuration. It seems like you're looking for some help with Spring Security. Spring Boot's issue tracker isn't the right place for that. I would start by asking a question on Stack Overflow using the spring-security tag.
Comment From: ybaidiuk
On stackoverflow exist already one topic which confirm my arguments https://stackoverflow.com/questions/30643029/spring-security-anonymous-401-instead-of-403
On Sun, Jul 14, 2024, 16:16 Andy Wilkinson @.***> wrote:
AFAIK, neither of those should be necessary. I can't tell for certain as you haven't provided a complete example of your configuration. It seems like you're looking for some help with Spring Security. Spring Boot's issue tracker isn't the right place for that. I would start be asking a question on Stack Overflow using the spring-security tag.
— Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-boot/issues/41483#issuecomment-2227365121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC3KFZ6RW3XA3R54NPHNBWDZMKB47AVCNFSM6AAAAABK2U2UHOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRXGM3DKMJSGE . You are receiving this because you authored the thread.Message ID: @.***>
Comment From: wilkinsona
If you think this could be improved, you should open a Spring Security issue. If you do so, please take the time to describe your situation in full. That should include all of your Spring Security configuration and complete details of the request that you're sending when you receive a 403 response but expect a 401. Please don't rely on screenshots to provide this information as they often do not tell the whole story. For example, only now that you've linked to someone else's question of Stack Overflow have I learned that you're probably asking about the response when a request is made that contains no attempt to authenticate. Details like that are important.