I am providing a simple reproduction project. After I migrate from Spring boot 2.8.7 to Spring Boot 3.2.1 with Spring Security 6 when the Security configuration is with anyRequest().authenticated() I receive 403 Forbidden if i permitAll() requests, everything work as generating JWT and using the application.
``` Securing POST /accounts 2024-01-13T16:18:04.537+02:00 DEBUG 73343 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext 2024-01-13T16:18:04.539+02:00 DEBUG 73343 --- [nio-8082-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access 2024-01-13T16:18:04.546+02:00 DEBUG 73343 --- [nio-8082-exec-1] o.s.security.web.FilterChainProxy : Securing POST /error 2024-01-13T16:18:04.547+02:00 DEBUG 73343 --- [nio-8082-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext 2024-01-13T16:18:04.547+02:00 DEBUG 73343 --- [nio-8082-exec-1] o.s.s.w.a.Http403ForbiddenEntryPoint : Pre-authenticated entry point called. Rejecting access
You can take a look the simple project its use H2 as databse.
Reproduction repository link:
https://github.com/mikebgrep/simple-spring-security-reporoduction
_Originally posted by @mikebgrep in https://github.com/spring-projects/spring-security/issues/14410
#issuecomment-1890472477_
**Comment From: kse-music**
Because in the current version, the default error request is processed by the security filter chain,see `AuthorizationFilter` 108 Line.
In the demo you give, there are two ways to solve this problem:
1. permit error request ,modify as below
`private static final String[] WHITE_LIST_URL = { "/auth/**", "/error", "/account"};`
2. error request not handle ,use BeanPostProcessor implements
@Component
public class MyBeanPostProcessor implements BeanPostProcessor{
@Override
public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
if (bean instanceof AuthorizationFilter authorizationFilter) {
authorizationFilter.setFilterErrorDispatch(false);
}
return bean;
}
}
**Comment From: mikebgrep**
@kse-music Thank you for the response. I will try the suggestions.But still can't understand if this is expected behaviour or if there is a bug.
**Comment From: marcusdacoregio**
Hi, @mikebgrep. I added a endpoint in your sample to hit when I have the token and it worked fine. Maybe you are trying to request an URL that is not mapped, throwing a 404 and then, as @kse-music said, the request will be redirected to `/error` and that endpoint is protected since you are not [saving the authentication anywhere](https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#store-authentication-manually).
**Comment From: mikebgrep**
Hi, not exactly. I have a problem retrive the token as this implementation works before the update .Also, any request returns 403, even if it is without authentication in the Spring Security configuration.
I will check the suggestions tomorrow.
**Comment From: mikebgrep**
@kse-music I add the example you provided, and I got an error message this time still can't retrieve the token from the login request.I add both examples. I am not sure that this supposes to fix the issue. Please take a look.
{ "timestamp": "2024-01-19T08:33:51.121+00:00", "status": 401, "error": "Unauthorized", "message": "Full authentication is required to access this resource", "path": "/api/v1/auth/login" } ```
@marcusdacoregio I am not sure the link you share is applicable here since I can't get the token at first place to authenticate at the rest of the requests.
Comment From: marcusdacoregio
I just opened a PR to your repo https://github.com/mikebgrep/simple-spring-security-reporoduction/pull/1.
It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.
Comment From: mikebgrep
@marcusdacoregio You were right appear that the implementation of the endpoints paths was the problem and the changes about the /error endpoint lead me to misunderstanding of the problem @kse-music thank you also for the answer it was help me a lot. There was a problem also with hibernate before I log this issue, so the problem was multidimensional :100:
Comment From: mehaksaini2811
Hello everyone, I'm facing a similar issue upon upgrading my spring-boot-starter web dependency from 2.6.7 to 3.2.5. I'm able to access the api from Postman but it throws a 403 (CORS 403 on OPTIONS call) when accessed from outside applications. I'm not using spring-security in our code and it was working fine before the upgrade. We do have CORSInterceptor in our code but request is not reaching there. Any help would be appreciated. Thanks in advance!
Comment From: hasandg
Is it possible that you used Basic Auth on Postman etc. because you used Bearer Authorization on JwtAuthenticationFilter.java file. I had same error and I realised that I used Basic Auth, It should No Auth with Headers section Authorization "Bearer JWT_token" or directly Bearer Token with no Header!