Add the ability to swallow exceptions for specific dispatcher types #11623
Description
The FilterSecurityInterceptor and AuthorizationFilter now apply to every request by default.
This led to a problem from the Spring Boot's perspective:
Consider the following configuration:
@Bean
SecurityFilterChain appSecurity(HttpSecurity http) {
http.authorizeHttpRequests(requests -> requests
.antMatchers("/public/**").permitAll()
.anyRequest().authenticated()
);
return http.build();
}If a request is made to GET /public/notfound with no credentials, then we expect a 404 - Not Found. Instead, Spring Boot will handle the exception and forward the request to /error with DispatcherType.ERROR. The /error endpoint is protected, an AuthenticationException is thrown and ExceptionTranslationFilter transforms it to a 401 - Unauthorized.
We should consider adding an option to ExceptionTranslationFilter that configures it to swallow the Spring Security exceptions from specified DispatcherTypes. Something like:
@Bean
SecurityFilterChain appSecurity(HttpSecurity http) {
...
http.exceptionHandling(exception -> exception
.swallowExceptionsForDispatcherTypes(List.of(DispatcherType.ERROR))
);
return http.build();
}This way we keep the original response status code but apply all the authorization rules to that endpoint.
See:
- Authorization on Every Dispatch Type #11027
- FilterSecurityInterceptor applies to every request by default #11466
- Investigate options for removing Spring Boot's ErrorPageSecurityFilter #10919
- Remove ErrorPageSecurityFilter now that security filters all dispatchers by default and not only once per request spring-boot#31703