Spring Security All exceptions are converted to HTTP 401 on public endpoints

Version 6.0.0

For this configuration :

    @Bean
    public SecurityFilterChain filterChain( final HttpSecurity http ) throws Exception {
        http
                .cors().and().csrf().disable()
                .sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS )
                .and()
                .anonymous()
                .and()
                .authorizeHttpRequests()
                .requestMatchers( HttpMethod.OPTIONS ).permitAll()
                .requestMatchers( "/system/**" ).hasRole( new SecurityRole( Role.ROLE_SYSTEM ).toString() )
                .requestMatchers( "/admin/**" ).hasRole( new SecurityRole( Role.ROLE_AUTH_ADMIN ).toString() )
                .requestMatchers( "/identity/**" ).hasRole( new SecurityRole( Role.ROLE_AUTH_IDENTITY ).toString() )
                .requestMatchers( "/guest/**" ).permitAll()
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer( OAuth2ResourceServerConfigurer::jwt );

        return http.build();
    }

All exceptions thrown by "/guest/**" endpoint are converted to HTTP 401 whitout body. Even when I issue an HTTP 409 with this class :

@ResponseStatus( code = HttpStatus.CONFLICT )
public class HttpConflictException extends RuntimeException {
    public HttpConflictException( String message ) {
        super( message );
    }
}

If this line

.requestMatchers( "/guest/**" ).permitAll()

is replaced by this

 .requestMatchers( "/**" ).permitAll()

it works. But this option seems too dangerous. Am I not understanding something? I haven't seen anything in the documentation that can help with this issue.

Dependencies :

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

Thank you.

Comment From: marcusdacoregio

Hi @romainlavabre,

this behavior is expected since Spring Security now applies to all dispatcher types, this includes the redirect to the /error endpoint that Spring Boot performs when there is an error. If you want to view the /error page you should permit it as well, like so:

.requestMatchers("/error").permitAll()

or, you may want to permit all ERROR dispatchers:

.dispatcherTypeMatchers(DispatcherType.ERROR).permitAll()

Comment From: romainlavabre

Ok thank you for your reply, i probably didn't go far enough in the documentation or i missed this information.

Comment From: Devecor

I noticed that it's not able to be reproduced by test along with @SpringBootTest or @WebMvcTest in spring security 6.1.4 but it can be reproduced on application running and call api via curl. So I just want to known if there is any way to test in junit5?