Spring Security Requests with no Authorization header provided by client when using @PreAuthorize result in a 500 instead of 401 return code.

Summary

Out of the box with Spring Security 6.0.2, and after adding a basic REST controller with a @PreAuthorize annotation as illustrated below results in a HTTP 500 server error being returned rather than a HTTP 401 Authentication required result when the client fails to send a request with the Authorization header set.

Actual Behavior

When providing no Authentication header at all by the client, the end result is an HTTP 500 back to the client, with log errors like this:

org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:350) ~[spring-security-core-6.0.2.jar!/:6.0.2]
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:214) ~[spring-security-core-6.0.2.jar!/:6.0.2]
    at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64) ~[spring-security-core-6.0.2.jar!/:6.0.2]
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184) ~[spring-aop-6.0.4.jar!/:6.0.4]
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:752) ~[spring-aop-6.0.4.jar!/:6.0.4]
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:703) ~[spring-aop-6.0.4.jar!/:6.0.4]
    at com.example.boot3.controller.TestController$$SpringCGLIB$$0.getTestSecure(<generated>) ~[classes!/:0.0.2-SNAPSHOT]

Expected Behavior

The result should be an HTTP 401 (authentication required) status code rather than a 500 server error.

Configuration

The REST controller is configured as follows: @GetMapping("/testsecure") @PreAuthorize("hasRole('TEST_SECURE_ADMIN_READ')") public List getTestSecure() { ... }

Version

spring-security 6.0.2

Sample

See above.

Comment From: jzheaux

Hi, @gsharris, thanks for the report. I don't quite have a clear picture just yet. Can you please provide more of the stacktrace? The reason I'm asking is that in a typical web application, the exception will get caught by the ExceptionTranslationFilter to do as you describe. Or better yet, please provide a minimal GitHub sample to speed the process along.

Also, I'm curious whether this happens when you use @EnableMethodSecurity instead of @EnableGlobalMethodSecurity. You might consider trying this out in the meantime.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.