Spring Security Security config upgrade 5.7.8 to 6.1.0, api response status from 500 to 403

Summary

Actual Behavior

Before the upgrade, throwing a custom exception returns 500 errors. After the upgrade, 403 is returned when a custom exception is thrown.

Expected Behavior

Returns the status code of 500

Configuration

Version configuration of 5.7.8 Spring Security Security config upgrade 5.7.8 to 6.1.0, api response status from 500 to 403 Version configuration of 6.1.0

Version

When I log in normally, by following the code version 6.1.0, I found that when going to the AuthorizationFilter, checking the AuthorizationDecision returned an anonymous user, causing an AccessDeniedException to be thrown, then through Http403ForbiddenEntryPoint will response code set to 403. The current solution is to configure dispatcherTypeMatchers as ERROR. When going to the doFilter method of AuthorizationFilter, no AccessDeniedException is thrown using the skipDispatch method. I don't know if this is the right solution. Spring Security Security config upgrade 5.7.8 to 6.1.0, api response status from 500 to 403

Sample

Comment From: marcusdacoregio

Hi, @zhangzhen0214.

I do have a guess about what is happening but to be more assertive I'd need more details about your configuration, custom filters, etc. Anyway, I think that you are not explicitly saving the SecurityContext into the SecurityContextRepository.

Can you try that and, if it does not work, provide a minimal, reproducible sample or more details about the code?

Comment From: zhangzhen0214

Hi, @zhangzhen0214.

I do have a guess about what is happening but to be more assertive I'd need more details about your configuration, custom filters, etc. Anyway, I think that you are not explicitly saving the SecurityContext into the SecurityContextRepository.

Can you try that and, if it does not work, provide a minimal, reproducible sample or more details about the code?

I have tried it and achieves the expected behavior, same process as debug in 5.7.8 version code when I added a piece of code to the configuration as shown in the figure. Thank you very much for your help！ Spring Security Security config upgrade 5.7.8 to 6.1.0, api response status from 500 to 403

Comment From: marcusdacoregio

I'm glad it solved the issue. Ideally you would call the SecurityContextRepository#saveContext in your filter instead of switching that flag to false.

Comment From: zhangzhen0214

I'm glad it solved the issue. Ideally you would call the SecurityContextRepository#saveContext in your filter instead of switching that flag to false.

Thank you for your advice, I will keep it in mind. Since I am doing the libs upgrade, I will try to keep the code with the least changes and the previous logic consistent.