When we are logged in the system and we access a resource that is not mapped ( doesn't exist) we get back a 404 error but it's not happening to me, I'm getting 401 error but it doesnt' make any sense because I'm already logged and i think its a spring security bug.
Filter :
if (tokenJWT != null) {
User user = recoverUser(tokenJWT);
Authentication authentication = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication); // The authentication is being done here, the user is already logged!
}
filterChain.doFilter(request, response); // Here, the request goes to the next class, SecurityConfigurations.
}
SecurityConfigurations :
...
.anyRequest().authenticated()
When i'm logged and access any resource that doesn't exist i had do get back 404 error but i'm getting 401.
I'm sure the token is valid! It started happening when I updated the spring boot version to 3.0.1
Comment From: sjohnr
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
Comment From: JohannesSchwegler
@Almadavic did you solve this issue? if so, how did you do it?
Comment From: Almadavic
@Almadavic did you solve this issue? if so, how did you do it?
Yes, I solved it. Reach me on my e-mail almadavic@live.com so we can talk about that.
Comment From: fkressmann
Yes, I solved it. Reach me on my e-mail almadavic@live.com so we can talk about that.
@Almadavic would you pls share your findings here (or somewhere else and link to it)? Otherwise this issue is useless for everybody else who found it on google etc (like me :D) And I guess you don't want a million people to contact you via email... Thanks!
Comment From: sjohnr
Hi folks, thanks for being willing to help each other! I do apologize, but this issue tracker is not intended to be a message board. I've already pointed out that using Stack Overflow is the preferred way to ask and answer questions related to Spring Security. You can also use Gitter to discuss solutions. Please feel free to post a link to stackoverflow so that others can find it. If other discussion continues on this thread, I plan to lock the conversation.
Comment From: MilanObrenovic
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
isn't this a bug?
why does a wrong username/password return a 401 "unauthorized" during authentication? this is authentication process, not authorization process. if the user is already logged in and tries to access a resource, then returning 401 "unauthorized" makes sense depending on role. but if a user is NOT logged in and tries to login, it does not make sense to return 401 "unauthorized". why is a user "unauthorized" to login? it should be a 404 not found because the username/password is not found in the database.
so this smells like a spring security bug. how to override this behavior?
Comment From: sjohnr
@MilanObrenovic as mentioned earlier, we do intend GitHub to be used only for bugs and enhancements, and not as a discussion board or question-answer forum. It sounds like you still have questions about Spring Security, and I'd encourage you to move that discussion to the appropriate forum.
Your question is answered elsewhere however, including in talks from Spring Security team members. See for example this Spring Security talk from SpringOne 2021.