WebLogic applies the ErrorPageFilter in the wrong order

[bbrouwer]

WebLogic bug 20493506 : WLS 12.1.2 -SERVLET 3 ADDFILTER ADDS FILTERS IN WRONG ORDER

Due to this bug, when using Spring boot in WebLogic 12c, authentication and authorization errors come back as 500 error codes, rather than 401 or 403. This can make it impossible to log into an app using Basic Auth.

I got around the issue by setting up an error page in the web.xml of my app and removing the ErrorPageFilter like this in the SpringBootServletInitializer subclass:

protected WebApplicationContext run(SpringApplication application) {
    application.getSources().remove(ErrorPageFilter.class);
    return super.run(application);
}

Oracle has fixed the bug and a patch should soon be available for 12.1.2 and 12.1.3. I just wanted to report this here in case anyone else ran into this issue. I don't think Spring Boot should do anything to fix this.

[philwebb]

Thanks for reporting! 👍

[bernerbrau]

Not sure if it's been patched or not, but it's still not working for us, two years later. I've developed the following workaround: https://gist.github.com/bernerbrau/415139e8e51ff1845daba7ff241e08d7

[bbrouwer]

Who knows when Oracle will incorporate the patch into the released version of Weblogic. I know we've had to request a new patch with every single upgrade of Weblogic. You should be able to ask for a patch for the bug I identified. Maybe if enough people harass Oracle for a patch for this bug they will finally include it in the standard release of Weblogic.