Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default Security Configuration adds WWW-Authenticate Twice #13737

Closed
rwinch opened this issue Aug 24, 2023 · 1 comment
Closed

Default Security Configuration adds WWW-Authenticate Twice #13737

rwinch opened this issue Aug 24, 2023 · 1 comment
Assignees
@marcusdacoregio
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
5.8.7

Comments

@rwinch
Copy link
Member

rwinch commented Aug 24, 2023

The default configuration of Spring Security 6.1.2 adds the WWW-Authenticate twice when an unauthenticated request comes in to an unauthorized endpoint.

This happens because the ExceptionTranslationFilter is invoked once for the REQUEST dispatch and then again for ERROR dispatch when handling the authorization error for the error page.
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Aug 24, 2023
@marcusdacoregio
Copy link
Contributor

marcusdacoregio commented Aug 31, 2023
edited

It is important to mention that RFC 7235 says (emphasized by me):

User agents are advised to take special care in parsing the field
value, as it might contain more than one challenge, and each
challenge can contain a comma-separated list of authentication
parameters. Furthermore, the header field itself can occur multiple
times.

I don't know that when an application has multiple authentication schemes we support responding with multi WWW-Authenticate headers, but it is important to keep that in mind.

@marcusdacoregio marcusdacoregio added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 31, 2023
@marcusdacoregio marcusdacoregio added this to the 5.8.7 milestone Aug 31, 2023
@marcusdacoregio marcusdacoregio mentioned this issue Aug 31, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
Spring Security Team
Status: No status
Milestone
5.8.7
Development

No branches or pull requests
2 participants
@rwinch @marcusdacoregio