Spring Security Spring Security 6.2.4 Configuraion Issue : Permit All Not working (jsp mvc controller)

Hello I encountered the following error while configuring security through Spring Security version 6.2.4. I tried to set restricted access using anyRequest().authenticated() and requestMatchers, but encountered an unresolved issue.

1. Even though I granted permitAll through requestMatchers, Access Denied occurs according to the trace log. The mapping controller in question is configured to expose screens through JSP as an MVC controller.
2. However, granting permitAll to the mapping address of the REST API controller within the same project results in normal operation.
3. In JUnit5 test code, tests using mockMvc with the same configuration do not encounter Access Denied and function properly.
4. Granting anyRequest.permitAll allows access to the JSP MVC controller without any issues.

Recently, user PavelBortnovskyi also left a comment about the same error that occurred previously. https://github.com/spring-projects/spring-security/issues/14011

It seems there might be a bug in the requestMatcher for the MVC Controller using JSP.

Below is the code I tested.

---

@RequestMapping(path = "/testweb") @Controller public class TestController { //This is Mvc Controller

@GetMapping(value = "/get")
public String getTest() {
    //This test web page is not found page
    //It is composed of registry.jsp("/WEB-INF/jsp",".jsp");
    return "/testHtml";
}

}

@WebMvcTest(TestController.class) public class SecurityTest {

@Autowired
private MockMvc mockMvc;

@Test
@DisplayName("mvc test controller associated with page not found")
void security_mvc_notFound_test() throws Exception {
    //given
    //when
    //then
    mockMvc.perform(get("/testweb/get"))
        .andExpect(status().isNotFound());
}

@EnableWebSecurity
@Configuration
public static class testSecuiryConfig {
    @Bean
    public SecurityFilterChain restApiSecurityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests(authorizeRequests ->
                authorizeRequests
                    .requestMatchers("/testweb/**").permitAll()
                    .anyRequest().authenticated())
        ;

        return http.build();
    }
}

}

---

2024-05-04 19:09:26.060 [ INFO] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - initServletBean:532] --- Initializing Servlet 'dispatcherServlet' 2024-05-04 19:09:26.061 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initMultipartResolver:533] --- Detected StandardServletMultipartResolver 2024-05-04 19:09:26.061 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initLocaleResolver:557] --- Detected AcceptHeaderLocaleResolver 2024-05-04 19:09:26.061 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initThemeResolver:583] --- Detected FixedThemeResolver 2024-05-04 19:09:26.063 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initRequestToViewNameTranslator:733] --- Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@203f1447 2024-05-04 19:09:26.063 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initFlashMapManager:797] --- Detected org.springframework.web.servlet.support.SessionFlashMapManager@2673ba1f 2024-05-04 19:09:26.064 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - initServletBean:549] --- enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data 2024-05-04 19:09:26.065 [ INFO] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - initServletBean:554] --- Completed initialization in 4 ms 2024-05-04 19:09:26.089 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - getFilters:245] --- Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@57202722, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7bc342f6, org.springframework.security.web.context.SecurityContextHolderFilter@67b920c9, org.springframework.security.web.header.HeaderWriterFilter@77e467d9, org.springframework.web.filter.CorsFilter@20c3be4c, org.springframework.security.web.authentication.logout.LogoutFilter@1290fc6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3f6fa2dd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@278e721e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77d86aba, org.springframework.security.web.access.ExceptionTranslationFilter@c4e440b, org.springframework.security.web.access.intercept.AuthorizationFilter@38988d78]] (1/1) 2024-05-04 19:09:26.090 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - doFilterInternal:223] --- Securing GET /testweb/get 2024-05-04 19:09:26.092 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking DisableEncodeUrlFilter (1/11) 2024-05-04 19:09:26.095 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking WebAsyncManagerIntegrationFilter (2/11) 2024-05-04 19:09:26.096 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderFilter (3/11) 2024-05-04 19:09:26.098 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking HeaderWriterFilter (4/11) 2024-05-04 19:09:26.100 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking CorsFilter (5/11) 2024-05-04 19:09:26.102 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking LogoutFilter (6/11) 2024-05-04 19:09:26.103 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.l.LogoutFilter - requiresLogout:121] --- Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]] 2024-05-04 19:09:26.104 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking RequestCacheAwareFilter (7/11) 2024-05-04 19:09:26.104 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - getMatchingRequest:111] --- matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided 2024-05-04 19:09:26.104 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderAwareRequestFilter (8/11) 2024-05-04 19:09:26.105 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AnonymousAuthenticationFilter (9/11) 2024-05-04 19:09:26.107 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking ExceptionTranslationFilter (10/11) 2024-05-04 19:09:26.107 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AuthorizationFilter (11/11) 2024-05-04 19:09:26.108 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:74] --- Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203] 2024-05-04 19:09:26.109 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:83] --- Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$1706/0x0000000134b3a530@6ed71619 2024-05-04 19:09:26.114 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - lambda$doFilterInternal$3:227] --- Secured GET /testweb/get 2024-05-04 19:09:26.116 [DEBUG] [http-nio-8080-exec-1] [o.s.c.l.LogFormatUtils - traceDebug:120] --- GET "/testweb/get", parameters={} 2024-05-04 19:09:26.118 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.h.AbstractHandlerMapping - getHandler:531] --- Mapped to com.psg.payment.controller.TestController#getTest() 2024-05-04 19:09:26.156 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.v.AbstractView - render:307] --- View name '/testHtml', model {} 2024-05-04 19:09:26.160 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.v.InternalResourceView - renderMergedOutputModel:169] --- Forwarding to [/WEB-INF/jsp/testHtml.jsp] 2024-05-04 19:09:26.167 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - getFilters:245] --- Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@57202722, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7bc342f6, org.springframework.security.web.context.SecurityContextHolderFilter@67b920c9, org.springframework.security.web.header.HeaderWriterFilter@77e467d9, org.springframework.web.filter.CorsFilter@20c3be4c, org.springframework.security.web.authentication.logout.LogoutFilter@1290fc6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3f6fa2dd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@278e721e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77d86aba, org.springframework.security.web.access.ExceptionTranslationFilter@c4e440b, org.springframework.security.web.access.intercept.AuthorizationFilter@38988d78]] (1/1) 2024-05-04 19:09:26.167 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - doFilterInternal:223] --- Securing GET /WEB-INF/jsp/testHtml.jsp 2024-05-04 19:09:26.167 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking DisableEncodeUrlFilter (1/11) 2024-05-04 19:09:26.168 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking WebAsyncManagerIntegrationFilter (2/11) 2024-05-04 19:09:26.168 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderFilter (3/11) 2024-05-04 19:09:26.168 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking HeaderWriterFilter (4/11) 2024-05-04 19:09:26.169 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking CorsFilter (5/11) 2024-05-04 19:09:26.169 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking LogoutFilter (6/11) 2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.l.LogoutFilter - requiresLogout:121] --- Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]] 2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking RequestCacheAwareFilter (7/11) 2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - getMatchingRequest:111] --- matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided 2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderAwareRequestFilter (8/11) 2024-05-04 19:09:26.171 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AnonymousAuthenticationFilter (9/11) 2024-05-04 19:09:26.171 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking ExceptionTranslationFilter (10/11) 2024-05-04 19:09:26.171 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AuthorizationFilter (11/11) 2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:74] --- Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203]]] 2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:83] --- Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203]]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@26b285 2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.HttpSessionSecurityContextRepository - readSecurityContextFromSession:206] --- No HttpSession currently exists 2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication] 2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication] 2024-05-04 19:09:26.173 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.AnonymousAuthenticationFilter - defaultWithAnonymous:116] --- Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] 2024-05-04 19:09:26.174 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.AnonymousAuthenticationFilter - defaultWithAnonymous:127] --- Did not set SecurityContextHolder since already authenticated AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] 2024-05-04 19:09:26.180 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.ExceptionTranslationFilter - handleAccessDeniedException:194] --- Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:75) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:653) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:419) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277) at org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequestDispatcher.forward(HeaderWriterFilter.java:170) at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:171) at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:314) at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1431) at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1167) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1106) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:979) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:564) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885) at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108) at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231) at org.springframework.security.web.ObservationFilterChainDecorator$FilterObservation$SimpleFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:479) at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:340) at org.springframework.security.web.ObservationFilterChainDecorator.lambda$wrapSecured$0(ObservationFilterChainDecorator.java:82) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:128) at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323) at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224) at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Thread.java:842)

2024-05-04 19:09:26.198 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - saveRequest:80] --- Saved request http://localhost:8080/WEB-INF/jsp/testHtml.jsp?continue to session 2024-05-04 19:09:26.199 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.a.Http403ForbiddenEntryPoint - commence:57] --- Pre-authenticated entry point called. Rejecting access 2024-05-04 19:09:26.199 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.h.w.HstsHeaderWriter - writeHeaders:151] --- Not injecting HSTS header since it did not match request to [Is Secure] 2024-05-04 19:09:26.202 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - logResult:1138] --- Completed 403 FORBIDDEN 2024-05-04 19:09:26.206 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - getFilters:245] --- Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@57202722, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7bc342f6, org.springframework.security.web.context.SecurityContextHolderFilter@67b920c9, org.springframework.security.web.header.HeaderWriterFilter@77e467d9, org.springframework.web.filter.CorsFilter@20c3be4c, org.springframework.security.web.authentication.logout.LogoutFilter@1290fc6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3f6fa2dd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@278e721e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77d86aba, org.springframework.security.web.access.ExceptionTranslationFilter@c4e440b, org.springframework.security.web.access.intercept.AuthorizationFilter@38988d78]] (1/1) 2024-05-04 19:09:26.206 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - doFilterInternal:223] --- Securing GET /error 2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking DisableEncodeUrlFilter (1/11) 2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking WebAsyncManagerIntegrationFilter (2/11) 2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderFilter (3/11) 2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking HeaderWriterFilter (4/11) 2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking CorsFilter (5/11) 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking LogoutFilter (6/11) 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.l.LogoutFilter - requiresLogout:121] --- Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]] 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking RequestCacheAwareFilter (7/11) 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - getMatchingRequest:111] --- matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderAwareRequestFilter (8/11) 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AnonymousAuthenticationFilter (9/11) 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking ExceptionTranslationFilter (10/11) 2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AuthorizationFilter (11/11) 2024-05-04 19:09:26.209 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:74] --- Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@2db77c64]] 2024-05-04 19:09:26.209 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:83] --- Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@2db77c64]] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$1706/0x0000000134b3a530@6ed71619 2024-05-04 19:09:26.210 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - lambda$doFilterInternal$3:227] --- Secured GET /error 2024-05-04 19:09:26.210 [DEBUG] [http-nio-8080-exec-1] [o.s.c.l.LogFormatUtils - traceDebug:120] --- "ERROR" dispatch for GET "/error", parameters={} 2024-05-04 19:09:26.212 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.h.AbstractHandlerMapping - getHandler:531] --- Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest) 2024-05-04 19:09:26.223 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.m.m.a.AbstractMessageConverterMethodProcessor - writeWithMessageConverters:275] --- Using 'application/json', given [/] and supported [application/json, application/*+json] 2024-05-04 19:09:26.225 [DEBUG] [http-nio-8080-exec-1] [o.s.c.l.LogFormatUtils - traceDebug:120] --- Writing [{timestamp=Sat May 04 19:09:26 KST 2024, status=403, error=Forbidden, path=/testweb/get}] 2024-05-04 19:09:26.239 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - logResult:1135] --- Exiting from "ERROR" dispatch, status 403 2024-05-04 19:09:26.239 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.HttpSessionSecurityContextRepository - readSecurityContextFromSession:213] --- Did not find SecurityContext in HttpSession D599ED1C6CED59B783E1B84289045F6E using the SPRING_SECURITY_CONTEXT session attribute 2024-05-04 19:09:26.239 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication] 2024-05-04 19:09:26.239 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication] 2024-05-04 19:09:26.240 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.AnonymousAuthenticationFilter - defaultWithAnonymous:116] --- Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=D599ED1C6CED59B783E1B84289045F6E], Granted Authorities=[ROLE_ANONYMOUS]]

Comment From: fanciz1227

Oh... sorry, I solved the problem with the comment found in the previous issue..! If anyone happens to see this post, specifying it in authorizeHttpRequests with dispatcherTypeMatchers should solve the problem.

dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()