Spring Security 6.2.4 Configuraion Issue : Permit All Not working (jsp mvc controller)

[fanciz1227]

Hello
I encountered the following error while configuring security through Spring Security version 6.2.4.
I tried to set restricted access using anyRequest().authenticated() and requestMatchers, but encountered an unresolved issue.

1. Even though I granted permitAll through requestMatchers, Access Denied occurs according to the trace log. The mapping controller in question is configured to expose screens through JSP as an MVC controller.
2. However, granting permitAll to the mapping address of the REST API controller within the same project results in normal operation.
3. In JUnit5 test code, tests using mockMvc with the same configuration do not encounter Access Denied and function properly.
4. Granting anyRequest.permitAll allows access to the JSP MVC controller without any issues.

Recently, user PavelBortnovskyi also left a comment about the same error that occurred previously.
#14011

It seems there might be a bug in the requestMatcher for the MVC Controller using JSP.

Below is the code I tested.

---

@RequestMapping(path = "/testweb")
@controller
public class TestController { //This is Mvc Controller

@GetMapping(value = "/get")
public String getTest() {
    //This test web page is not found page
    //It is composed of registry.jsp("/WEB-INF/jsp",".jsp");
    return "/testHtml";
}

}

@WebMvcTest(TestController.class)
public class SecurityTest {

@Autowired
private MockMvc mockMvc;

@Test
@DisplayName("mvc test controller associated with page not found")
void security_mvc_notFound_test() throws Exception {
    //given
    //when
    //then
    mockMvc.perform(get("/testweb/get"))
        .andExpect(status().isNotFound());
}

@EnableWebSecurity
@Configuration
public static class testSecuiryConfig {
    @Bean
    public SecurityFilterChain restApiSecurityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf(AbstractHttpConfigurer::disable)
            .authorizeHttpRequests(authorizeRequests ->
                authorizeRequests
                    .requestMatchers("/testweb/**").permitAll()
                    .anyRequest().authenticated())
        ;

        return http.build();
    }
}

}

---

2024-05-04 19:09:26.060 [ INFO] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - initServletBean:532] --- Initializing Servlet 'dispatcherServlet'
2024-05-04 19:09:26.061 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initMultipartResolver:533] --- Detected StandardServletMultipartResolver
2024-05-04 19:09:26.061 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initLocaleResolver:557] --- Detected AcceptHeaderLocaleResolver
2024-05-04 19:09:26.061 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initThemeResolver:583] --- Detected FixedThemeResolver
2024-05-04 19:09:26.063 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initRequestToViewNameTranslator:733] --- Detected org.springframework.web.servlet.view.DefaultRequestToViewNameTranslator@203f1447
2024-05-04 19:09:26.063 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.DispatcherServlet - initFlashMapManager:797] --- Detected org.springframework.web.servlet.support.SessionFlashMapManager@2673ba1f
2024-05-04 19:09:26.064 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - initServletBean:549] --- enableLoggingRequestDetails='false': request parameters and headers will be masked to prevent unsafe logging of potentially sensitive data
2024-05-04 19:09:26.065 [ INFO] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - initServletBean:554] --- Completed initialization in 4 ms
2024-05-04 19:09:26.089 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - getFilters:245] --- Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@57202722, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7bc342f6, org.springframework.security.web.context.SecurityContextHolderFilter@67b920c9, org.springframework.security.web.header.HeaderWriterFilter@77e467d9, org.springframework.web.filter.CorsFilter@20c3be4c, org.springframework.security.web.authentication.logout.LogoutFilter@1290fc6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3f6fa2dd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@278e721e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77d86aba, org.springframework.security.web.access.ExceptionTranslationFilter@c4e440b, org.springframework.security.web.access.intercept.AuthorizationFilter@38988d78]] (1/1)
2024-05-04 19:09:26.090 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - doFilterInternal:223] --- Securing GET /testweb/get
2024-05-04 19:09:26.092 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking DisableEncodeUrlFilter (1/11)
2024-05-04 19:09:26.095 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking WebAsyncManagerIntegrationFilter (2/11)
2024-05-04 19:09:26.096 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderFilter (3/11)
2024-05-04 19:09:26.098 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking HeaderWriterFilter (4/11)
2024-05-04 19:09:26.100 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking CorsFilter (5/11)
2024-05-04 19:09:26.102 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking LogoutFilter (6/11)
2024-05-04 19:09:26.103 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.l.LogoutFilter - requiresLogout:121] --- Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2024-05-04 19:09:26.104 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking RequestCacheAwareFilter (7/11)
2024-05-04 19:09:26.104 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - getMatchingRequest:111] --- matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-05-04 19:09:26.104 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderAwareRequestFilter (8/11)
2024-05-04 19:09:26.105 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AnonymousAuthenticationFilter (9/11)
2024-05-04 19:09:26.107 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking ExceptionTranslationFilter (10/11)
2024-05-04 19:09:26.107 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AuthorizationFilter (11/11)
2024-05-04 19:09:26.108 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:74] --- Authorizing SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203]
2024-05-04 19:09:26.109 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:83] --- Checking authorization on SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$1706/0x0000000134b3a530@6ed71619
2024-05-04 19:09:26.114 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - lambda$doFilterInternal$3:227] --- Secured GET /testweb/get
2024-05-04 19:09:26.116 [DEBUG] [http-nio-8080-exec-1] [o.s.c.l.LogFormatUtils - traceDebug:120] --- GET "/testweb/get", parameters={}
2024-05-04 19:09:26.118 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.h.AbstractHandlerMapping - getHandler:531] --- Mapped to com.psg.payment.controller.TestController#getTest()
2024-05-04 19:09:26.156 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.v.AbstractView - render:307] --- View name '/testHtml', model {}
2024-05-04 19:09:26.160 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.v.InternalResourceView - renderMergedOutputModel:169] --- Forwarding to [/WEB-INF/jsp/testHtml.jsp]
2024-05-04 19:09:26.167 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - getFilters:245] --- Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@57202722, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7bc342f6, org.springframework.security.web.context.SecurityContextHolderFilter@67b920c9, org.springframework.security.web.header.HeaderWriterFilter@77e467d9, org.springframework.web.filter.CorsFilter@20c3be4c, org.springframework.security.web.authentication.logout.LogoutFilter@1290fc6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3f6fa2dd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@278e721e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77d86aba, org.springframework.security.web.access.ExceptionTranslationFilter@c4e440b, org.springframework.security.web.access.intercept.AuthorizationFilter@38988d78]] (1/1)
2024-05-04 19:09:26.167 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - doFilterInternal:223] --- Securing GET /WEB-INF/jsp/testHtml.jsp
2024-05-04 19:09:26.167 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking DisableEncodeUrlFilter (1/11)
2024-05-04 19:09:26.168 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking WebAsyncManagerIntegrationFilter (2/11)
2024-05-04 19:09:26.168 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderFilter (3/11)
2024-05-04 19:09:26.168 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking HeaderWriterFilter (4/11)
2024-05-04 19:09:26.169 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking CorsFilter (5/11)
2024-05-04 19:09:26.169 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking LogoutFilter (6/11)
2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.l.LogoutFilter - requiresLogout:121] --- Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking RequestCacheAwareFilter (7/11)
2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - getMatchingRequest:111] --- matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-05-04 19:09:26.170 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderAwareRequestFilter (8/11)
2024-05-04 19:09:26.171 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AnonymousAuthenticationFilter (9/11)
2024-05-04 19:09:26.171 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking ExceptionTranslationFilter (10/11)
2024-05-04 19:09:26.171 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AuthorizationFilter (11/11)
2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:74] --- Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203]]]
2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:83] --- Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ SecurityContextHolderAwareRequestWrapper[ org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequest@5af7a203]]] using org.springframework.security.authorization.AuthenticatedAuthorizationManager@26b285
2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.HttpSessionSecurityContextRepository - readSecurityContextFromSession:206] --- No HttpSession currently exists
2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication]
2024-05-04 19:09:26.172 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication]
2024-05-04 19:09:26.173 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.AnonymousAuthenticationFilter - defaultWithAnonymous:116] --- Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2024-05-04 19:09:26.174 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.AnonymousAuthenticationFilter - defaultWithAnonymous:127] --- Did not set SecurityContextHolder since already authenticated AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
2024-05-04 19:09:26.180 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.ExceptionTranslationFilter - handleAccessDeniedException:194] --- Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.access.AccessDeniedException: Access Denied
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:98)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:75)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:110)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:653)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:419)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:340)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:277)
at org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterRequestDispatcher.forward(HeaderWriterFilter.java:170)
at org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:171)
at org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:314)
at org.springframework.web.servlet.DispatcherServlet.render(DispatcherServlet.java:1431)
at org.springframework.web.servlet.DispatcherServlet.processDispatchResult(DispatcherServlet.java:1167)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1106)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:979)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:903)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:564)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:885)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:108)
at org.springframework.security.web.FilterChainProxy.lambda$doFilterInternal$3(FilterChainProxy.java:231)
at org.springframework.security.web.ObservationFilterChainDecorator$FilterObservation$SimpleFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:479)
at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$1(ObservationFilterChainDecorator.java:340)
at org.springframework.security.web.ObservationFilterChainDecorator.lambda$wrapSecured$0(ObservationFilterChainDecorator.java:82)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:128)
at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:100)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323)
at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224)
at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195)
at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:175)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:150)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Thread.java:842)

2024-05-04 19:09:26.198 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - saveRequest:80] --- Saved request http://localhost:8080/WEB-INF/jsp/testHtml.jsp?continue to session
2024-05-04 19:09:26.199 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.a.Http403ForbiddenEntryPoint - commence:57] --- Pre-authenticated entry point called. Rejecting access
2024-05-04 19:09:26.199 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.h.w.HstsHeaderWriter - writeHeaders:151] --- Not injecting HSTS header since it did not match request to [Is Secure]
2024-05-04 19:09:26.202 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - logResult:1138] --- Completed 403 FORBIDDEN
2024-05-04 19:09:26.206 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - getFilters:245] --- Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@57202722, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7bc342f6, org.springframework.security.web.context.SecurityContextHolderFilter@67b920c9, org.springframework.security.web.header.HeaderWriterFilter@77e467d9, org.springframework.web.filter.CorsFilter@20c3be4c, org.springframework.security.web.authentication.logout.LogoutFilter@1290fc6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@3f6fa2dd, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@278e721e, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@77d86aba, org.springframework.security.web.access.ExceptionTranslationFilter@c4e440b, org.springframework.security.web.access.intercept.AuthorizationFilter@38988d78]] (1/1)
2024-05-04 19:09:26.206 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - doFilterInternal:223] --- Securing GET /error
2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking DisableEncodeUrlFilter (1/11)
2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking WebAsyncManagerIntegrationFilter (2/11)
2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderFilter (3/11)
2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking HeaderWriterFilter (4/11)
2024-05-04 19:09:26.207 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking CorsFilter (5/11)
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking LogoutFilter (6/11)
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.l.LogoutFilter - requiresLogout:121] --- Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking RequestCacheAwareFilter (7/11)
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.s.HttpSessionRequestCache - getMatchingRequest:111] --- matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking SecurityContextHolderAwareRequestFilter (8/11)
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AnonymousAuthenticationFilter (9/11)
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking ExceptionTranslationFilter (10/11)
2024-05-04 19:09:26.208 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.ObservationFilterChainDecorator$VirtualFilterChain - doFilter:135] --- Invoking AuthorizationFilter (11/11)
2024-05-04 19:09:26.209 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:74] --- Authorizing SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@2db77c64]]
2024-05-04 19:09:26.209 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager - check:83] --- Checking authorization on SecurityContextHolderAwareRequestWrapper[ FirewalledRequest[ org.apache.catalina.core.ApplicationHttpRequest@2db77c64]] using org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer$$Lambda$1706/0x0000000134b3a530@6ed71619
2024-05-04 19:09:26.210 [DEBUG] [http-nio-8080-exec-1] [o.s.s.w.FilterChainProxy - lambda$doFilterInternal$3:227] --- Secured GET /error
2024-05-04 19:09:26.210 [DEBUG] [http-nio-8080-exec-1] [o.s.c.l.LogFormatUtils - traceDebug:120] --- "ERROR" dispatch for GET "/error", parameters={}
2024-05-04 19:09:26.212 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.h.AbstractHandlerMapping - getHandler:531] --- Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#error(HttpServletRequest)
2024-05-04 19:09:26.223 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.m.m.a.AbstractMessageConverterMethodProcessor - writeWithMessageConverters:275] --- Using 'application/json', given [/] and supported [application/json, application/*+json]
2024-05-04 19:09:26.225 [DEBUG] [http-nio-8080-exec-1] [o.s.c.l.LogFormatUtils - traceDebug:120] --- Writing [{timestamp=Sat May 04 19:09:26 KST 2024, status=403, error=Forbidden, path=/testweb/get}]
2024-05-04 19:09:26.239 [DEBUG] [http-nio-8080-exec-1] [o.s.w.s.FrameworkServlet - logResult:1135] --- Exiting from "ERROR" dispatch, status 403
2024-05-04 19:09:26.239 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.HttpSessionSecurityContextRepository - readSecurityContextFromSession:213] --- Did not find SecurityContext in HttpSession D599ED1C6CED59B783E1B84289045F6E using the SPRING_SECURITY_CONTEXT session attribute
2024-05-04 19:09:26.239 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication]
2024-05-04 19:09:26.239 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.c.SupplierDeferredSecurityContext - init:72] --- Created SecurityContextImpl [Null authentication]
2024-05-04 19:09:26.240 [TRACE] [http-nio-8080-exec-1] [o.s.s.w.a.AnonymousAuthenticationFilter - defaultWithAnonymous:116] --- Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=D599ED1C6CED59B783E1B84289045F6E], Granted Authorities=[ROLE_ANONYMOUS]]

[fanciz1227]

Oh... sorry, I solved the problem with the comment found in the previous issue..!
If anyone happens to see this post, specifying it in authorizeHttpRequests with dispatcherTypeMatchers should solve the problem.

dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()