Disable Redirect by Spring Security in Jersey Spring Boot Application

Question

I am pulling my hair out. The environment is a JAXRS (using Jersey) Restful application configured via Spring Boot. I am developing an orchestration layer that communicates with microservices. The orchestration layer uses RestTemplate to perform the calls to the microservices.

For some reason, when there is an error level status code returned from the orchestration service, Spring Security attempts to post to http://localhost:65448/error . I have NO idea who is doing this. I have turned up logging, traced through the code, scoured the internet, and read all the documentation...I cannot determine what class is attempting to do this. I cannot stop it.

Here is my Spring Configuration (groovy) for the security bits:

@Configuration
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class SpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Inject
    private UserService userService

    @Inject
    private StatelessAuthenticationFilter statelessAuthenticationFilter

    void configure(WebSecurity web) throws Exception {

    }

    void configure(HttpSecurity http) throws Exception {
        http
                .anonymous().and()
              //  .servletApi().and()
                .headers().cacheControl().and()
                .exceptionHandling().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .rememberMe().disable()
                .csrf().disable()
                .formLogin().disable()
                .httpBasic().disable()
                .jee().disable()
                .logout().disable()
                //.openidLogin().disable()
                .authorizeRequests()
                .filterSecurityInterceptorOncePerRequest(true)

        // Allow anonymous logins
                .antMatchers('/security/authc').permitAll()

        // All other request need to be authenticated
                .anyRequest().authenticated().and()

        // Custom Token based authentication based on the header previously given to the client
               .addFilterAfter(statelessAuthenticationFilter, BasicAuthenticationFilter)
    }

    void configure(AuthenticationManagerBuilder auth) {
        auth
                .userDetailsService(userService)
                .passwordEncoder(passwordEncoder())
    }

    @Bean
    PasswordEncoder passwordEncoder() {
        new BCryptPasswordEncoder()
    }

    @Bean
    AuthenticationManager authenticationManagerBean() {
        super.authenticationManagerBean()
    }

}

The test code is performing a simple rest-based authentication by posting an Authorization header to the authc endpoint. This works as expected unless the orchestration service returns an error level status code.

Here is the relevant logging:

[2015-06-03 07:07:15.621] boot - 47784  INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server has received a request on thread qtp1012776440-21
1 > POST http://localhost:65448/security/authc
1 > Accept: */*
1 > Accept-Encoding: gzip,deflate
1 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
1 > Connection: keep-alive
1 > Content-Length: 0
1 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
1 > Host: localhost:65448
1 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)

[2015-06-03 07:07:15.753] boot - 47784  INFO [qtp1012776440-21] --- LoggingFilter: 1 * Server responded with a response on thread qtp1012776440-21
1 < 400

[2015-06-03 07:07:15.757] boot - 47784  INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server has received a request on thread qtp1012776440-21
2 > POST http://localhost:65448/error
2 > Accept: */*
2 > Accept-Encoding: gzip,deflate
2 > Authorization: bm90ZXhpc3RzOnRlc3RwYXNz
2 > Connection: keep-alive
2 > Content-Length: 0
2 > Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1
2 > Host: localhost:65448
2 > User-Agent: Apache-HttpClient/4.2.1 (java 1.5)

[2015-06-03 07:07:15.781] boot - 47784  INFO [qtp1012776440-21] --- LoggingFilter: 2 * Server responded with a response on thread qtp1012776440-21
2 < 404
2 < Content-Type: application/json

HTTP/1.1 404 Not Found
Date: Wed, 03 Jun 2015 11:07:15 GMT
Pragma: no-cache
X-Application-Context: Test:test:0
Content-Type: application/json
Transfer-Encoding: chunked
Server: Jetty(9.2.9.v20150224)

Please help before I toss my computer out the window.

Cheers

Answer 1

This is caused by the ErrorMvcAutoConfiguration . You can either disable it (via exclude on the annotation EnableAutoConfiguration ) or change its path, if you have a custom error path, with the property error.path .

Answer 2

Hy,

This the default behaviour of Jetty when the server responds with a status code >=400 (except for 404 ) and the response has no entity. You can "disable" this behaviour by settings an empty error pages list

@Bean
public EmbeddedServletContainerCustomizer containerCustomizer() {

    return new EmbeddedServletContainerCustomizer() {
        @Override
        public void customize(ConfigurableEmbeddedServletContainer container) {
            // On skippe la redirection /error realise
            container.setErrorPages(Sets.<ErrorPage> newConcurrentHashSet());
        }
    };
}

Despite of this workaround, the server will send the real http status with a XML body (see ErrorHandler)

This is also the case for undertow.