Describe the bug MissingServletRequestParameterException happened in the application, but AuthenticationEntryPoint is involved in the processing Below is the log 2023-12-17T22:29:38.342+08:00 WARN 6780 --- [nio-9527-exec-3] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.bind.MissingServletRequestParameterException: Required request parameter 'organizationId' for method parameter type Long is not present] 2023-12-17T22:29:38.344+08:00 DEBUG 6780 --- [nio-9527-exec-3] c.z.i.a.security.config.SecurityConfig : onAuthenticationFailure!!!
Below is the code
@Bean
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable);
http.cors().configurationSource(corsConfigSource());
http
.authorizeHttpRequests(
authorizationManagerRequestMatcherRegistry ->
authorizationManagerRequestMatcherRegistry
.requestMatchers("/api/admin/login", "/api/admin/login/", "/api/admin/exam/")
.permitAll()
.anyRequest()
.authenticated())
.exceptionHandling(httpSecurityExceptionHandlingConfigurer ->
httpSecurityExceptionHandlingConfigurer
.accessDeniedHandler(this::onAccessDenied)
.authenticationEntryPoint(this::onAuthenticationFailure))
.sessionManagement(httpSecuritySessionManagementConfigurer ->
httpSecuritySessionManagementConfigurer
.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.addFilterBefore(jwtAuthenticationTokenFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
private void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException e) throws IOException {
log.debug("onAuthenticationFailure!!!");
response.setContentType("application/json;charset=utf-8");
PrintWriter writer = response.getWriter();
writer.write(ApiResult.fail(ApiCodeEnum.SYS_AUTH_FAILED, e.getMessage()).asJsonString());
}
Comment From: jzheaux
Hi, @zhangyuanlin666, I'm not able to reproduce the issue you described with the given information. Are you able to provide a minimal GitHub sample? Please ensure that it contains the smallest configuration possible to reproduce the behavior.
Comment From: zhangyuanlin666
minimal GitHub sample is here https://github.com/zhangyuanlin666/demo.git after the project is running visit http://localhost:8080/api/exam org.springframework.web.bind.MissingServletRequestParameterException will hanppen, But it does enter the secrity authenticationEntryPoint, and I don't think any other exceptions will enter this flow
Comment From: kse-music
After running the demo you provided,I think
1. when visit http://localhost:8080/api/exam, due to missing id parameter,the MissingServletRequestParameterException happen ,and the DefaultHandlerExceptionResolver set response status 400
2. Tomcat searches for ErrorPage (default /error path) based on 400 and then forwards it to the request.
3. Verification failed because security filter chain did not set /error path permit
If you permit /error,so
1. Use browser to access,will be return as below
- Use Postman to access,will be return as below
Comment From: marcusdacoregio
Looks like this is related to the redirect to /error as @kse-music pointed, which is expected.