spring-boot

mirror of https://github.com/spring-projects/spring-boot.git synced 2024-08-29 03:06:45 +08:00

History

Madhura Bhave d9d161cd6b Allow previously authorized users to access the error page Prior to this commit, the `ErrorPageSecurityFilter` verified if access to the error page was allowed by invoking the `WebInvocationPrivilegeEvaluator` with the Authentication from the `SecurityContextHolder`. This meant that access to the error page was denied for a `null` Authentication or `AnonymousAuthenticationToken` in cases where the error page required authenticated access. This prevented authorized users from accessing the error page in case the Authentication wasn't retrievable for the error dispatch, which is the case for `@Transient` authentication or stateless session policy. This commit updates the `ErrorPageSecurityFilter` to check access to the error page only if the error is an authn or authz error in cases where an authentication object is not found in the SecurityContextHolder. This makes the error response consistent when bad credentials or no credentials are used while also allowing access to previously authorized users. Fixes gh-28953	2021-12-17 16:58:58 -08:00
..
src	Allow previously authorized users to access the error page	2021-12-17 16:58:58 -08:00
build.gradle	Prohibit unwanted dependencies in all modules not just starters	2021-11-12 20:04:35 +00:00

Madhura Bhave d9d161cd6b Allow previously authorized users to access the error page

Prior to this commit, the `ErrorPageSecurityFilter` verified if
access to the error page was allowed by invoking the
`WebInvocationPrivilegeEvaluator` with the Authentication from the
`SecurityContextHolder`.
This meant that access to the error page was denied for a `null` Authentication
 or `AnonymousAuthenticationToken` in cases where the error page required
authenticated access. This prevented authorized users from accessing the
error page in case the Authentication wasn't retrievable for the error dispatch,
which is the case for `@Transient` authentication or stateless session policy.

This commit updates the `ErrorPageSecurityFilter` to check access to the error page
only if the error is an authn or authz error in cases where an authentication object
is not found in the SecurityContextHolder. This makes the error response consistent
when bad credentials or no credentials are used while also allowing access to previously
authorized users.

Fixes gh-28953

2021-12-17 16:58:58 -08:00

src

Allow previously authorized users to access the error page

2021-12-17 16:58:58 -08:00

build.gradle

Prohibit unwanted dependencies in all modules not just starters

2021-11-12 20:04:35 +00:00