Describe the bug Valid/existing error page is blocked by Spring Security with filter invocation [/public/error/error.jsf] denied error message.
25-Oct.-2022 18:43:52,535 ERROR [XNIO-2 task-8] [org.omnifaces.filter.FacesExceptionFilter:164] - [6b440355-0511-4066-b421-716cb8f4fef9][127.0.0.1] FacesExceptionFilter: An exception occurred during processing servlet request. Error page '/public/error/error.jsf' will be shown.
javax.servlet.ServletException: java.lang.NullPointerException: Cannot invoke "com.xxx.yyy.zzz.getId()" because "brand" is null
25-Oct.-2022 18:43:52,537 DEBUG [XNIO-2 task-8] [org.springframework.security.web.context.SecurityContextPersistenceFilter:120] - Cleared SecurityContextHolder to complete request
25-Oct.-2022 18:43:52,559 DEBUG [XNIO-2 task-8] [org.springframework.security.web.FilterChainProxy:333] - Secured GET /public/error/error.jsf 25-Oct.-2022 18:43:52,573 DEBUG [XNIO-2 task-8] [org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator:104] - filter invocation [/public/error/error.jsf] denied for UsernamePasswordAuthenticationToken [Principal=com.xxx.yyy.zzz.User@7945ad41, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=SUHpJHhHyIrjf1oJdVMVYzy_-k9sxZH2Cl6Wr12_], Granted Authorities=[ADMIN]] org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:100) at org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator.isAllowed(DefaultWebInvocationPrivilegeEvaluator.java:67) at org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.isAllowed(RequestMatcherDelegatingWebInvocationPrivilegeEvaluator.java:76) at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.isAllowed(ErrorPageSecurityFilter.java:88) at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.doFilter(ErrorPageSecurityFilter.java:76) at org.springframework.boot.web.servlet.filter.ErrorPageSecurityFilter.doFilter(ErrorPageSecurityFilter.java:70) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
Spring Security set up:
http.authorizeRequests().antMatchers('/public/error/error.jsf').permitAll().anyRequest().authenticated();
Not safe(but working) workaround is to put error page into web ignoring(than this page indeed show up correctly):
@Bean
WebSecurityCustomizer webSecurityCustomizer()
{
return (web) -> web.ignoring().antMatchers("/public/error/error.jsf");
}
Running with Spring Boot v2.7.4, Spring v5.3.23, Spring Security v.5.7.4
To Reproduce Steps to reproduce the behavior.
Expected behavior /public/error/error.jsf should show up instead of blank page.
regards, --vs
Comment From: marcusdacoregio
Hi @vitsin, can you provide a minimal, reproducible sample so we can have a better clue on what is happening? It's hard to debug and to simulate the scenario with just the logs.
Comment From: vitsin
hello, when created simple sample project based on same Spring Security and Boot versions - original bug issue is not reproducible.
The diff between simple project and my project: 1. my project uses heavily JSF+PrimeFaces vs Thymeleaf on sample project (don't think its a source of the issue). 2. Spring Security set up in my project a bit more complex: - there are 3 special custom Filters, one addFilterBefore and two addFilterAfter in Spring Security. - there is a whole chain of custom providers under http.authenticationManager() in my project.
I'll keep digging into this(specifically those 3 filters) to narrow it down as much as possible. Thanks!
Comment From: marcusdacoregio
Hi @vitsin, I'll close this as invalid for now but if you are able to come up with the sample we can reopen it.
Thank you.