Describe the bug ExceptionTranslationWebFilter causes a blocking call in case of missing/wtong authentication when it is trying to read a message from a resource bundle. This becomes a problem when spring-security and spring-webflux is used together, and gets caught by Blockhound. The issue is not specific to testing context as the blocking code is also ran during normal runs.
To Reproduce Send a request to an endpoint, that requires a specific role, using WebTestClient without any authentication. Blockhound catches the blocking call to MessageSourceAccessor::getMessage and endpoint returns 500 due to the exception.
Expected behavior Message resolution is handled in a non-blocking manner so that it is compatible with spring-webflux.
Sample Sample project can be found here: https://github.com/burakcorekci/blocking-exception-translation
Comment From: eleftherias
Thank you for submitting this issue @burakcorekci. Are you interested in submitting a pull request to fix the issue?
Comment From: giger85
@eleftherias
Is there any update this issue?
Comment From: eleftherias
I'll share some more context on this issue. I see two way to handle the error that Blockhound produces.
1) Since reading the file only happens once, and then it is cached, we could add a rule to suppress the error.
2) We could remove the call the fetch the message from in the ExceptionTranslationWebFilter and always use the default message.
I favor option 2, because it aligns with the other security WebFilters.
In the future, if we choose to add localization to the WebFilters, we can do it consistently across all filters.
Comment From: eleftherias
Closed via 725a57f.
For users on Spring Securiity 5.6 I recommend adding a Blockhound rule to suppress the error, since the blocking call only happens once and then the results are cached. I will not be backporting the fix to 5.6 because it breaks compatibility and there is a reasonable workaround.
Once 5.7 is released you can upgrade and remove the Blockhound rule.