Bug report

POST /alist/alias get 403 POST /alist/alias/{id} can work

I test more cases, and found actual it's 400 bad request, but return 403 without error message.

Env

Spring boot 3.1.2 native-image 17.0.8 2023-07-18 GraalVM Runtime Environment Oracle GraalVM 17.0.8+9.1 (build 17.0.8+9-LTS-jvmci-23.0-b14) Substrate VM Oracle GraalVM 17.0.8+9.1 (build 17.0.8+9-LTS, serial gc, compressed references)

Runtime OS

Alpine Docker container

Log

No error found in log.

Code

@ResponseStatus(HttpStatus.BAD_REQUEST)
public class BadRequestException extends RuntimeException {
    public BadRequestException() {
        super();
    }

    public BadRequestException(String message) {
        super(message);
    }

    public BadRequestException(String message, Throwable cause) {
        super(message, cause);
    }

    public BadRequestException(Throwable cause) {
        super(cause);
    }
}


@RestController
@RequestMapping("/alist/alias")
public class AListAliasController {

    @PostMapping
    public AListAlias create(@RequestBody AListAliasDto dto) {
        return service.create(dto);
    }

    @PostMapping("/{id}")
    public AListAlias update(@PathVariable Integer id, @RequestBody AListAliasDto dto) {
        return service.update(id, dto);
    }
}

@Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeRequests(requests -> requests.requestMatchers(
                                new AntPathRequestMatcher("/accounts/login"),
                                new AntPathRequestMatcher("/accounts/logout")
                        ).permitAll()
                        .requestMatchers(HttpMethod.OPTIONS).permitAll()
                        .requestMatchers(HttpMethod.POST).authenticated()
                        .requestMatchers(HttpMethod.PUT).authenticated()
                        .requestMatchers(HttpMethod.PATCH).authenticated()
                        .requestMatchers(HttpMethod.DELETE).authenticated()
                        .anyRequest().permitAll())
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .csrf(AbstractHttpConfigurer::disable)
                .formLogin(AbstractHttpConfigurer::disable)
                .logout(AbstractHttpConfigurer::disable)
                .addFilterBefore(tokenFilter, BasicAuthenticationFilter.class);
        return http.build();
    }

Comment From: philwebb

I'm afraid there isn't really enough information in your report for us to determine if this is a bug or an error in your configuration. If you'd like us to spend some time investigating, please take the time to provide a complete minimal sample (something that we can unzip or git clone, build, and deploy) that reproduces the problem.

Comment From: power721

I add customized exception handler to fix this issue.

    @ExceptionHandler({BadRequestException.class})
    public ResponseEntity<Object> handleBadRequestException(Exception ex, WebRequest request) {
        log.warn("", ex);
        HttpHeaders headers = new HttpHeaders();
        HttpStatusCode status = HttpStatusCode.valueOf(400);
        ProblemDetail body = ProblemDetail.forStatusAndDetail(status, ex.getMessage());
        return handleExceptionInternal(ex, body, headers, status, request);
    }

SpringBoot GraalVM native POST get 403

Bug report

Env

Runtime OS

Log

Code