Spring Boot version - 2.3.0 Dependencies - Spring Webflux, Spring Security
Using the spring.webflux.base-path in Webflux project with Spring Security, default authentication endpoint /login doesn't get prefixed with basepath provided, which results in 404 not found.
Steps to reproduce :
1. Add spring.webflux.base-path=/test in application.properties.
2. Request any endpoint, that will open Spring Security default login page.
3. Enter username as user and password provided in the console.
4. Submitting the form results in HTTP ERROR 404
Comment From: mbhave
@anupam-contaque I tried this with a sample webflux app and I got redirected to http://localhost:8080/test/login. Could you provide a minimal sample that we can run to reproduce the issue? It could be a link to a GitHub repository or a zip attached here.
Comment From: mbhave
Ah, I missed that the issue was after you login. I was able to reproduce it.
Comment From: scottfrederick
I've also reproduced the issue with a trivial WebFlux application, but the issue isn't limited to Boot 2.3.0 and WebFlux. If I change the web dependency from org.springframework.boot:spring-boot-starter-webflux to org.springframework.boot:spring-boot-starter-web (from WebFlux to Servlet) and change spring.webflux.base-path=/test to spring.mvc.servlet.path=/test, I get the same behavior of a 404 after a successful login form submission. The Servlet behavior is the same with Boot 2.2.8 and Boot 2.3.1.
Flagging this for team attention so we can discuss further.
Comment From: mbhave
I wasn't able to reproduce this with the servlet stack with spring.mvc.servlet.path set to /test. @scottfrederick and I chatted about it and it appears that there might have been with a different issue with his setup.
The issue still applies to Webflux. It seems to be happening because the login page that Spring Security generates does not take the base path into account. When the form is submitted, it results in a POST to /login which returns a 404. I don't think there's anything we can do in Spring Boot about this and that the fix for this would be in Spring Security but I would like to get thoughts from @bclozel and @rwinch.
Comment From: rwinch
@mbhave Thanks for the mention. I'm not aware of base path in WebFlux. Do you know what Spring Security be doing to take the base path into account?
Comment From: bclozel
@rwinch the complete path information is available as part of the RequestPath, see org.springframework.http.server.reactive.ServerHttpRequest#getPath.
Comment From: rwinch
This is fixed via spring-projects/spring-security#8807
Comment From: mbhave
Thanks @rwinch. I think we can close this issue in favor of the Spring Security fix.