Spring Security Spring Security 5.0.5 not working response.sendError()

Hello!

I'm using Spring Boot 2.0.2 with Spring Security. When i updated my Spring Boot for new version, i have problem with my custom failureHandler, there are not working my previous onAuthenticationFailure overridden function with response.sendError(). The program does not respond to the error specified by me and sends 302 (redirect to login page). When i use response.setStatus() its work fine, program sends error what i want.

Is it a bug?

Comment From: rwinch

@aelsergeev Can you provide more details (i.e. a sample) in order to reproduce this to figure out what is wrong?

Comment From: anselvo

Sorry, but I can not give you a sample, I do not have time for that.

Regarding the details, I use my own settings for successHandler and for failureHandler (http://joxi.ru/Q2KBvBNH49YEBm) with successHandler all is fine, but with failureHandler is not (it's happened when i updated my Spring Boot to second version)

My Class for failureHandler look like this (http://joxi.ru/5md3e3JUkvDOyr), before the update, it sent me a 401 error and a message, but after the update, it started send 302 error and redirect to the login page. Now, I rewrote the function somehow so (http://joxi.ru/p273V3QUo0GkX2) it at least sends me the error, by the way, I tried to use @deprecated method void setStatus(int sc, String sm) and it does not work sending an error message either.

Comment From: anselvo

@rwinch can you please check my feedback)

Comment From: rwinch

Sorry, but I can not give you a sample, I do not have time for that.

This makes it difficult for the community to have time to help you.

Based on the code you provided I can take a guess as to what is happening. When you invoke sendError it will dispatch the request to /error (it the error handling code registered by Spring Boot. However, Spring Security will intercept /error and see that you are not authenticated and thus redirect you to a log in form.

PS: The security configuration you provided has a few problems in it. The first is that each rule for authorizeRequests is considered in order and only the first match will be used. This means that the last rule will never be used since the rule just prior is any request. To fix this switch the ordering of these rules. The second piece is that I recommend using mvcMatchers since you are likely using a Spring MVC application. Finally, a bit of polish is you can replace .antMatchers("/**") with .anyRequest(). These are the same things, but the second reads a bit nicer.