Describe the bug
After migrating from SpringBoot 2.7.7 to Spring Boot 3.0.2 I observed that REST endpoints which return a Mono<ResponseEntity<String>> still work, but return a HTTP 401 response code.
To Reproduce
- Create Controller which returns
Mono<ResponseEntity<String>>:
@GetMapping("/testmono")
fun testmono(): Mono<ResponseEntity<String>> {
logger.info("in monotest")
return Mono.just(ResponseEntity.ok("test"))
}
@GetMapping("/test")
fun test(): ResponseEntity<String> {
logger.info("in test")
return ResponseEntity.ok("test")
}
SecurityConfig:
@Bean
@Order(2)
fun filterChain(http: HttpSecurity): SecurityFilterChain {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeHttpRequests {
it.requestMatchers("/openpaths/**").permitAll()
it.anyRequest().authenticated()
}
.addFilterBefore(
JwtAuthTokenFilter(jwtTokenService, userDetailService),
UsernamePasswordAuthenticationFilter::class.java
)
.addFilterBefore(FilterChainExceptionHandler(handlerExceptionResolver), JwtAuthTokenFilter::class.java)
.exceptionHandling().authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
return http.build()
}
@Bean
@Order(1)
fun specialPaths(http: HttpSecurity): SecurityFilterChain {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.httpBasic()
.and()
.securityMatcher("/actuator/**", "/v3/api-docs/**", "/swagger/**")
.authorizeHttpRequests {
it.requestMatchers("/actuator/**").hasAnyRole("ADMIN")
it.requestMatchers("/v3/api-docs/**").hasAnyRole("ADMIN")
it.requestMatchers("/swagger/**").hasAnyRole("ADMIN")
}
return http.build()
}
Expected behavior Both requests return HTTP 200 when called with valid authentication (jwt token). Currently both execute but /testmono returns HTTP 401 in postman. Both return HTTP 200 when called with SpringBoot 2.7.7.
SpringSecurity TRACE logs with SpringBoot 3.0.2
2023-02-16 13:33:38.101 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/actuator/**'], Mvc [pattern='/v3/api-docs/**'], Mvc [pattern='/swagger/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@1878d502, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@724566fa, org.springframework.security.web.context.SecurityContextHolderFilter@7b2b7652, org.springframework.security.web.header.HeaderWriterFilter@7c421207, org.springframework.security.web.authentication.logout.LogoutFilter@6d6c56a2, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@15eff700, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@22b1dcff, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4e0f2084, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@65c5d94b, org.springframework.security.web.session.SessionManagementFilter@72563e0f, org.springframework.security.web.access.ExceptionTranslationFilter@4972063e, org.springframework.security.web.access.intercept.AuthorizationFilter@2c4d0ddd]] (1/2)
2023-02-16 13:33:38.102 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@35b1f36b, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@162f9e79, org.springframework.security.web.context.SecurityContextHolderFilter@382a9597, org.springframework.security.web.header.HeaderWriterFilter@3b80154a, com.config.FilterChainExceptionHandler@2fa90505, com.config.JwtAuthTokenFilter@44e945cc, org.springframework.security.web.authentication.logout.LogoutFilter@681e7f75, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@605b5df1, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5223bb87, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7ef9dc91, org.springframework.security.web.session.SessionManagementFilter@7aae467c, org.springframework.security.web.access.ExceptionTranslationFilter@71ad3d1f, org.springframework.security.web.access.intercept.AuthorizationFilter@4eae182f]] (2/2)
2023-02-16 13:33:38.102 =DEBUG n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing GET /test/test
2023-02-16 13:33:38.102 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
2023-02-16 13:33:38.103 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-02-16 13:33:38.103 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/13)
2023-02-16 13:33:38.103 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
2023-02-16 13:33:38.103 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking FilterChainExceptionHandler (5/13)
2023-02-16 13:33:38.103 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking JwtAuthTokenFilter (6/13)
2023-02-16 13:33:38.130 =TRACE n/a --- [nio-8080-exec-3] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-02-16 13:33:38.161 =DEBUG n/a --- [nio-8080-exec-3] c.e.config.JwtAuthTokenFilter : API request to </test/test> with token <true>
2023-02-16 13:33:38.161 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/13)
2023-02-16 13:33:38.161 =TRACE n/a --- [nio-8080-exec-3] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-02-16 13:33:38.161 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Did not set SecurityContextHolder since already authenticated UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=test, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=737C58370D33C827EB544AD0422D65FB], Granted Authorities=[ROLE_USER]]
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/1)
2023-02-16 13:33:38.162 =DEBUG n/a --- [nio-8080-exec-3] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from 737C58370D33C827EB544AD0422D65FB
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2023-02-16 13:33:38.162 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (13/13)
2023-02-16 13:33:38.164 =DEBUG n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Secured GET /test/test
2023-02-16 13:33:38.164 =DEBUG n/a --- [nio-8080-exec-3] horizationManagerBeforeMethodInterceptor : Authorizing method invocation ReflectiveMethodInvocation: public reactor.core.publisher.Mono com.test.TestService.test(); target is of class [com.test.TestService]
2023-02-16 13:33:38.164 =DEBUG n/a --- [nio-8080-exec-3] horizationManagerBeforeMethodInterceptor : Authorized method invocation ReflectiveMethodInvocation: public reactor.core.publisher.Mono com.test.TestService.test(); target is of class [com.test.TestService]
2023-02-16 13:33:38.165 =TRACE n/a --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-02-16 13:33:38.166 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Mvc [pattern='/actuator/**'], Mvc [pattern='/v3/api-docs/**'], Mvc [pattern='/swagger/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@1878d502, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@724566fa, org.springframework.security.web.context.SecurityContextHolderFilter@7b2b7652, org.springframework.security.web.header.HeaderWriterFilter@7c421207, org.springframework.security.web.authentication.logout.LogoutFilter@6d6c56a2, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@15eff700, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@22b1dcff, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4e0f2084, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@65c5d94b, org.springframework.security.web.session.SessionManagementFilter@72563e0f, org.springframework.security.web.access.ExceptionTranslationFilter@4972063e, org.springframework.security.web.access.intercept.AuthorizationFilter@2c4d0ddd]] (1/2)
2023-02-16 13:33:38.166 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@35b1f36b, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@162f9e79, org.springframework.security.web.context.SecurityContextHolderFilter@382a9597, org.springframework.security.web.header.HeaderWriterFilter@3b80154a, com.config.FilterChainExceptionHandler@2fa90505, com.config.JwtAuthTokenFilter@44e945cc, org.springframework.security.web.authentication.logout.LogoutFilter@681e7f75, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@605b5df1, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5223bb87, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7ef9dc91, org.springframework.security.web.session.SessionManagementFilter@7aae467c, org.springframework.security.web.access.ExceptionTranslationFilter@71ad3d1f, org.springframework.security.web.access.intercept.AuthorizationFilter@4eae182f]] (2/2)
2023-02-16 13:33:38.166 =DEBUG n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing GET /test/test
2023-02-16 13:33:38.166 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
2023-02-16 13:33:38.167 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-02-16 13:33:38.167 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/13)
2023-02-16 13:33:38.167 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
2023-02-16 13:33:38.167 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking FilterChainExceptionHandler (5/13)
2023-02-16 13:33:38.167 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking JwtAuthTokenFilter (6/13)
2023-02-16 13:33:38.167 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/13)
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2023-02-16 13:33:38.168 =TRACE n/a --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (13/13)
2023-02-16 13:33:38.170 =TRACE n/a --- [nio-8080-exec-3] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2023-02-16 13:33:38.170 =TRACE n/a --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=1238B8A56C8DE7D328CA7C1546678534], Granted Authorities=[ROLE_ANONYMOUS]]
SpringSecurity TRACE logs with SpringBoot 2.7.7
2023-02-16 13:43:30.778 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Ant [pattern='/actuator/**'], Ant [pattern='/v3/api-docs/**'], Ant [pattern='/swagger/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@779bf874, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2eb4ea3d, org.springframework.security.web.context.SecurityContextPersistenceFilter@5341ee42, org.springframework.security.web.header.HeaderWriterFilter@5214200d, org.springframework.security.web.authentication.logout.LogoutFilter@405226ab, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7aa46a50, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@21ee1004, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5209487c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7dce32a2, org.springframework.security.web.session.SessionManagementFilter@324c13a6, org.springframework.security.web.access.ExceptionTranslationFilter@5a551107, org.springframework.security.web.access.intercept.AuthorizationFilter@7790c8d5]] (1/2)
2023-02-16 13:43:30.778 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@6332887, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@18dad41b, org.springframework.security.web.context.SecurityContextPersistenceFilter@3f6ef977, org.springframework.security.web.header.HeaderWriterFilter@182be87f, org.springframework.security.web.authentication.logout.LogoutFilter@7e612d29, com.config.FilterChainExceptionHandler@1151587, com.config.JwtAuthTokenFilter@719f34c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@46fd7439, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@348913f4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6e774d65, org.springframework.security.web.session.SessionManagementFilter@38cdef7b, org.springframework.security.web.access.ExceptionTranslationFilter@1a224a2a, org.springframework.security.web.access.intercept.AuthorizationFilter@11b2ddfb]] (2/2)
2023-02-16 13:43:30.778 =DEBUG n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Securing GET /test/test
2023-02-16 13:43:30.778 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
2023-02-16 13:43:30.778 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-02-16 13:43:30.779 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/13)
2023-02-16 13:43:30.779 =DEBUG n/a --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2023-02-16 13:43:30.779 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
2023-02-16 13:43:30.779 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/13)
2023-02-16 13:43:30.779 =TRACE n/a --- [nio-8080-exec-4] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-02-16 13:43:30.779 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking FilterChainExceptionHandler (6/13)
2023-02-16 13:43:30.779 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking JwtAuthTokenFilter (7/13)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : Did not set SecurityContextHolder since already authenticated UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=test, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_USER]]
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/1)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2023-02-16 13:43:30.834 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (13/13)
2023-02-16 13:43:30.834 =DEBUG n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Secured GET /test/test
2023-02-16 13:43:30.835 =TRACE n/a --- [nio-8080-exec-4] o.s.s.a.i.a.MethodSecurityInterceptor : Did not re-authenticate UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=test, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_USER]] before authorizing
2023-02-16 13:43:30.835 =TRACE n/a --- [nio-8080-exec-4] o.s.s.a.i.a.MethodSecurityInterceptor : Authorizing ReflectiveMethodInvocation: public reactor.core.publisher.Mono com.test.TestService.test(); target is of class [com.test.TestService] with attributes [[authorize: 'hasRole('ROLE_USER')', filter: 'null', filterTarget: 'null']]
2023-02-16 13:43:30.835 =DEBUG n/a --- [nio-8080-exec-4] o.s.s.a.i.a.MethodSecurityInterceptor : Authorized ReflectiveMethodInvocation: public reactor.core.publisher.Mono com.test.TestService.test(); target is of class [com.test.TestService] with attributes [[authorize: 'hasRole('ROLE_USER')', filter: 'null', filterTarget: 'null']]
2023-02-16 13:43:30.835 =TRACE n/a --- [nio-8080-exec-4] o.s.s.a.i.a.MethodSecurityInterceptor : Did not switch RunAs authentication since RunAsManager returned null
2023-02-16 13:43:30.835 =TRACE n/a --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-02-16 13:43:30.835 =DEBUG n/a --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=Or [Ant [pattern='/actuator/**'], Ant [pattern='/v3/api-docs/**'], Ant [pattern='/swagger/**']], Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@779bf874, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2eb4ea3d, org.springframework.security.web.context.SecurityContextPersistenceFilter@5341ee42, org.springframework.security.web.header.HeaderWriterFilter@5214200d, org.springframework.security.web.authentication.logout.LogoutFilter@405226ab, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7aa46a50, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@21ee1004, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@5209487c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@7dce32a2, org.springframework.security.web.session.SessionManagementFilter@324c13a6, org.springframework.security.web.access.ExceptionTranslationFilter@5a551107, org.springframework.security.web.access.intercept.AuthorizationFilter@7790c8d5]] (1/2)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@6332887, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@18dad41b, org.springframework.security.web.context.SecurityContextPersistenceFilter@3f6ef977, org.springframework.security.web.header.HeaderWriterFilter@182be87f, org.springframework.security.web.authentication.logout.LogoutFilter@7e612d29, com.config.FilterChainExceptionHandler@1151587, com.config.JwtAuthTokenFilter@719f34c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@46fd7439, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@348913f4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6e774d65, org.springframework.security.web.session.SessionManagementFilter@38cdef7b, org.springframework.security.web.access.ExceptionTranslationFilter@1a224a2a, org.springframework.security.web.access.intercept.AuthorizationFilter@11b2ddfb]] (2/2)
2023-02-16 13:43:30.836 =DEBUG n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Securing GET /test/test
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/13)
2023-02-16 13:43:30.836 =DEBUG n/a --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.s.w.a.logout.LogoutFilter : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking FilterChainExceptionHandler (6/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking JwtAuthTokenFilter (7/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
2023-02-16 13:43:30.836 =TRACE n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Invoking AuthorizationFilter (13/13)
2023-02-16 13:43:30.836 =DEBUG n/a --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Secured GET /sms/test
2023-02-16 13:43:30.837 =TRACE n/a --- [nio-8080-exec-4] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-02-16 13:43:30.838 =DEBUG n/a --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
It is probably not a bug but I am not really sure where to look for a potential solution. The migration guide mentions that the SecurityContext could probably be saved manually to a SecurityContextRepository. I am not sure if this is necessary in my (stateless) case. I also noticed that with 3.0.2 a SessionID is created which was not the case with 2.7.7. If it is not a bug a tip into the right direction would be greatly appreciated.
Comment From: sjohnr
Thanks for getting in touch @christianblust, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
Having said that,
The migration guide mentions that the SecurityContext could probably be saved manually to a SecurityContextRepository. I am not sure if this is necessary in my (stateless) case.
The migration guide is correct that it is required. The issue is likely in your JWTAuthTokenFilter but it is not provided, so it is somewhat difficult to say for sure. Note that JWT support is provided out of the box with Spring Security and this filter can most likely be replaced with built-in functionality.