-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throwing an Exception inside AuthenticationProvider.authentication() causes a return 200. #7630
Comments
@tggm Can you provide some more detail on the type of exception you are trying to throw?
so this method would not be allowed to throw a |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Apologies for the delay. Yes, in this instance the exception thrown was an Unchecked Exception (Derived from RuntimeException). This caused the framework to return a HTTP 200 code to the client. |
@tggm I'm having difficulty reproducing the problem. |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue. |
Summary
AuthenticationProvider implementations deal with exceptions differently in the
authenticate()
method.Actual Behavior
Consider an
AuthenticationProvider
(org.springframework.security.authentication.AuthenticationProvider
) implementation. If theauthenticate(Authentication authentication)
method throws ajava.lang.Exception
the framework will return an HTTP 200 code to the client.If, however, an
AuthenticationException
is raised (for instance a concreteAuthenticationServiceException
) the framework will return a 403 response code.Expected Behavior
Any exception inside an authentication provider should cause a 403 error.
Configuration
WebSecurity config
ResponseEntityExceptionHandler
Version
spring-security-core-5.2.0.RELEASE
The text was updated successfully, but these errors were encountered: