Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InsufficientAuthenticationException being handled as HTTP 500 instead of 401 #582

Closed
icaromagnago opened this issue Jan 8, 2021 · 4 comments · Fixed by #674
Closed

InsufficientAuthenticationException being handled as HTTP 500 instead of 401 #582

icaromagnago opened this issue Jan 8, 2021 · 4 comments · Fixed by #674
Labels
Bug

Comments

@icaromagnago
Copy link

I'm using Springboot 2..3.4.RELEASE and problem-spring-web 0.25.0.

When trying to make a request to the API with no token a InsufficientAuthenticationException is thrown, in this case the HTTP status code should be 401, but problem library is handling it as status code 500.

{
  "title": "Internal Server Error",
  "status": 500,
  "detail": "Full authentication is required to access this resource"
}
2021-01-08 12:11:32.898 ERROR 24769 --- [nio-8080-exec-1] o.z.problem.spring.common.AdviceTraits   : Internal Server Error

org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource
...

Configurations

Spring security

@KeycloakConfiguration
@Import(SecurityProblemSupport.class)
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    private SecurityProblemSupport problemSupport;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http
            .exceptionHandling()
            .authenticationEntryPoint(problemSupport)
            .accessDeniedHandler(problemSupport)
        .and()
            .cors().and().csrf().disable()
            .authorizeRequests()
            .antMatchers(HttpMethod.OPTIONS,"/swagger-ui.html#/**").permitAll()
            .anyRequest()
            .authenticated();
    }
...

Controller Advice

@ControllerAdvice
public class SecurityExceptionHandler implements SecurityAdviceTrait {

}

In version 0.23.0 works as expected.

{
  "title": "Unauthorized",
  "status": 401,
  "detail": "Full authentication is required to access this resource"
}
2021-01-08 12:21:41.871  WARN 26529 --- [nio-8080-exec-1] o.z.p.spring.web.advice.AdviceTrait      : Unauthorized: Full authentication is required to access this resource
@whiskeysierra
Copy link
Collaborator

Previous similar issue: #498

I'm out of ideas here, tbh. Can you reproduce it in a test so we can improve our test suite?

@icaromagnago
Copy link
Author

I will try reproduce it in test as soon as possible.

@icaromagnago
Copy link
Author

I figured out the problem.

Its occurs when I have two @ControllerAdvice, one implementing ProblemHandling and the other one implementing SecurityAdviceTrait.

If I disable the one implementing ProblemHandling then code works as expected. If I use just one @ControllerAdvice implements the two interfaces also seems to work.

I'm not sure if this is a bug or just a missconfiguration.

Here's a sample: https://github.com/icaromagnago/sample-spring-problem-issue

@aafwu00 aafwu00 mentioned this issue Jul 25, 2021
Closed
6 tasks
@Kogs
Copy link

Kogs commented Aug 9, 2021

Just use the higher @Priority for the one @ControllerAdvice you want to use, fixed it for me.

@aafwu00 aafwu00 mentioned this issue Aug 30, 2021
Merged
6 tasks
@mreilaender mreilaender mentioned this issue Oct 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
3 participants
@whiskeysierra @icaromagnago @Kogs