JCH
Java Community | Help. Code. Learn.2mo ago
Romans

Spring(Boot) Security preauthorize auth return 200 on "false" instead of 403

Hello! Hope this is the right section .I've a "problem" with spring boot and spring security. In controllers i've the classic @PreAuthorize("hasAnyAuthority(....)"). I would like to receive the error 403 (in order to redirect to the 403.ftlh in case of no authentication). Just now instead if i open the page that does not pass the @PreAuthorize, returns the page with status 200, but blank, for because any api in the controlled is executed (correctly). I tried to put in the security config an http.executionHandling() but it won't execute anyway. The basic requests i've is: 
http.authorizeHttpRequest(authorize -> authorize.anymatchers("/img/","js/",etc).permitAll()
.anyMatchers("/","/logout","/error/**").permitAll()
.anyRequest.authenticated())
http.authorizeHttpRequest(authorize -> authorize.anymatchers("/img/","js/",etc).permitAll()
.anyMatchers("/","/logout","/error/**").permitAll()
.anyRequest.authenticated())
But still get 200 (and blank page) opening that page
8 Replies
JavaBot
JavaBot2mo ago
This post has been reserved for your question.
Hey @Romans! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.
Tomasm21
Tomasm212mo ago
There is no such thing like authorize.anymatchers or .anyMatchers. Read this https://docs.spring.io/spring-security/reference/servlet/authorization/authorize-http-requests.html#match-requests And put .requestMatchers. And no .anyMatchers, but .antMatchers(
Romans
RomansOP2mo ago
Yes sorry i wrote it manually, but all works correctly. The problem is the non authorized pages that not pass the preauthorize, but still returns 200, so it keep open the blank page
Tomasm21
Tomasm212mo ago
Do you have @EnableGlobalMethodSecurity(prePostEnabled = true) on Spring Security configuration class?
Romans
RomansOP2mo ago
Yes
JavaBot
JavaBot2mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Romans
RomansOP2mo ago
Still searching on docs but i've not found what's wrong yet
JavaBot
JavaBot2mo ago
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived. If your question was not answered yet, feel free to re-open this post or create a new one. In case your post is not getting any attention, you can try to use /help ping. Warning: abusing this will result in moderative actions taken against you.
Want results from more Discord servers?
Add your server