Spring do not support 401 unauthorized responce by default

[ybaidiuk]

Will be great to become 401 respnce by default .

now logic is brocken

#10715

Arguments:
Developer Burden: Developers now need to implement their own solutions for previously handled features, which can lead to duplicated effort across the community.
Compliance and Consistency: Ensuring compliance with standards like HTTP can be more error-prone if developers have to implement these features themselves. This can lead to inconsistencies and mistakes, especially for less experienced developers.

[wilkinsona]

Spring Boot supports 401 responses through Spring Security. Any request to an endpoint that requires authorization will return a 401 response when not authorized.

[ybaidiuk]

in my case no, so i have to add :
.exceptionHandling(handler -> handler.authenticationEntryPoint((request, response, authException) ->
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage())));

without it, I will get 403 Forbidden.

[ybaidiuk]

My request passing through JwtAuthFilter without any changes, and default filter should see that user without auth try to reach protected url and give back 401, but i get 403 instead.

[ybaidiuk]

i fixed issue by adding 2 exaption handler which is annoying, it should be out of the box.

  .exceptionHandling(a -> a.accessDeniedHandler((request, response, accessDeniedException) -> response.setStatus(403)))
            .exceptionHandling(handler -> handler.authenticationEntryPoint((request, response, authException) ->
                    response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage())));

[wilkinsona]

AFAIK, neither of those should be necessary. I can't tell for certain as you haven't provided a complete example of your configuration. It seems like you're looking for some help with Spring Security. Spring Boot's issue tracker isn't the right place for that. I would start by asking a question on Stack Overflow using the spring-security tag.

[ybaidiuk]

On stackoverflow exist already one topic which confirm my arguments https://stackoverflow.com/questions/30643029/spring-security-anonymous-401-instead-of-403

…

On Sun, Jul 14, 2024, 16:16 Andy Wilkinson ***@***.***> wrote: AFAIK, neither of those should be necessary. I can't tell for certain as you haven't provided a complete example of your configuration. It seems like you're looking for some help with Spring Security. Spring Boot's issue tracker isn't the right place for that. I would start be asking a question on Stack Overflow using the spring-security tag. — Reply to this email directly, view it on GitHub <#41483 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC3KFZ6RW3XA3R54NPHNBWDZMKB47AVCNFSM6AAAAABK2U2UHOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRXGM3DKMJSGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[wilkinsona]

If you think this could be improved, you should open a Spring Security issue. If you do so, please take the time to describe your situation in full. That should include all of your Spring Security configuration and complete details of the request that you're sending when you receive a 403 response but expect a 401. Please don't rely on screenshots to provide this information as they often do not tell the whole story. For example, only now that you've linked to someone else's question of Stack Overflow have I learned that you're probably asking about the response when a request is made that contains no attempt to authenticate. Details like that are important.