Describe the bug
Configuration rules that worked in Spring Security 5.7.6 don't work in 6.0.1.
After migrating the security configuration to Spring Security 6.0.1, there is an endless redirect to the login page. The project uses Spring MVC and JavaServer Pages (JSP).
To migrate from Spring Security 5.7.6 (Spring Boot 2.7.7) to Spring Security 6.0.1 (Spring Boot 3.0.1) I changed SecurityConfig.java file from
java
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.formLogin()
.loginPage("/login")
.and()
.httpBasic()
.and()
.authorizeRequests()
.antMatchers("/login", "/public").permitAll()
.anyRequest().authenticated();
}
to ```java @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .formLogin() .loginPage("/login") .and() .httpBasic() .and() .authorizeHttpRequests(authorize -> authorize .requestMatchers("/login", "/public").permitAll() .anyRequest().authenticated() );
return http.build();
}
```
To Reproduce Steps to reproduce error behavior (spring-boot-3 branch contains an example with Spring Security 6.0.1 (Spring Boot 3.0.1)):
git clone -b spring-boot-3 https://github.com/dbelob/spring-security-migration-error.gitcd spring-security-migration-errormvn clean packagemvn spring-boot:run- Open browser with link http://localhost:8080
The browser will open with endless redirect to the login page http://localhost:8080/login (see Network tab in Developer tools)
Expected behavior After opening a browser with a link, a login page should open for entering a name and password.
Steps to reproduce success behavior (main branch contains an example with Spring Security 5.7.6 (Spring Boot 2.7.7)):
1. git clone https://github.com/dbelob/spring-security-migration-error.git
2. cd spring-security-migration-error
3. mvn clean package
4. mvn spring-boot:run
5. Open browser with link http://localhost:8080
6. Login page will open successfully
7. Log in with user/password (user is username, password is password)
The home page will open at the link http://localhost:8080/home
Sample
A link to a GitHub repository with a minimal, reproducible sample (see spring-boot-3 branch).
Same issue: #12463
Comment From: jzheaux
The reason is that in 6.0, the authorization filter is run for all dispatcher types, including FORWARD. This means that the JSP that is forwarded to also needs to be permitted.
You can achieve this by permitting FORWARDs:
http.authorizeHttpRequests((authorize) -> authorize
.dispatcherTypeMatchers(DispatcherType.FORWARD).permitAll()
// ... the rest of your authorization rules
)
For more details, you can see the section about Spring MVC in the migration guide.
Comment From: jzheaux
Duplicate of https://github.com/spring-projects/spring-security/issues/12463