Page with permitAll is no longer accessible via auto-configured MockMvc

[martinvisser]

As asked on gitter I found an issue after upgrading to Spring Boot 2.6.0: running a @SpringBootTest with @AutoConfigureMockMvc a login page (not limited to) is no longer accessible after the upgrade. The same configuration that worked on Spring Boot 2.5.7 now triggers a 401. Tracing this lead me to the ErrorPageSecurityFilter.

Since 2.6.0 the initial request gets granted, but the (mock) filter chain goes through the ErrorPageSecurityFilter and denies in later.

I made a small example project to reproduce the issue: https://github.com/martinvisser/error-page-security-filter-issue.

For reasons I can't exactly remember I had multiple configuration extending from WebSecurityConfigurerAdapter which worked in Spring Boot 2.5.7. Merging the two configurations into one fixed the issue for me, but it does still sound like unforeseen and unwanted behavior.

This worked in 2.5.7, but fails in 2.6.0:

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
internal class WebSecurityConfig : WebSecurityConfigurerAdapter() {
    @Configuration(proxyBeanMethods = false)
    @Order(1)
    internal class FormWebSecurityConfigurerAdapter : WebSecurityConfigurerAdapter() {
        override fun configure(http: HttpSecurity) {
            http.authorizeRequests {
                it.anyRequest().permitAll()
            }
        }
    }
}

This works in both though:

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
internal class WebSecurityConfig : WebSecurityConfigurerAdapter() {
    override fun configure(http: HttpSecurity) {
        http.authorizeRequests {
            it.anyRequest().permitAll()
        }
    }
}

[martinvisser]

Perhaps related to #26356 and/or #28741

[wilkinsona]

Thanks for the sample, @martinvisser.

The cause of the problem is that ErrorPageSecurityFilter is being called for a REQUEST dispatch despite only being registered for ERROR dispatches. This is a limitation of MockMvc that I had overlooked when working on the changes for #26356 with @mbhave. I've opened spring-projects/spring-framework#27717 so that the Framework team can consider an enhancement to MockMvc that would allow us to register filters for particular dispatcher types. In the meantime, we can update Boot's ErrorPageSecurityFilter to ignore non-ERROR requests.

[wilkinsona]

A workaround for this problem is to remove the error page security filter by adding the following bean to the configuration used in your application's tests:

@Bean
static BeanFactoryPostProcessor removeErrorSecurityFilter() {
    return (beanFactory) -> 
        ((DefaultListableBeanFactory)beanFactory).removeBeanDefinition("errorPageSecurityInterceptor");
}

[steklopod]

I also have the same problem with 2.6.0 only:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
class SecurityConfig(private val userService: UserService) : WebSecurityConfigurerAdapter() {
    companion object {
        private val whitelist = arrayOf(
            "/registration", "/registration/*", "/login", "/user/exists/*"
        )
    }


    override fun configure(webSecurity: WebSecurity)           { webSecurity.ignoring().antMatchers(*whitelist) }
    override fun configure(auth: AuthenticationManagerBuilder) { auth.authenticationProvider(authProvider()) }

    @Bean override fun authenticationManagerBean(): AuthenticationManager = super.authenticationManagerBean()
    @Bean fun passwordEncoder(): PasswordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder()
    @Bean fun authProvider   (): DaoAuthenticationProvider = DaoAuthenticationProvider().apply { setUserDetailsService(userService); setPasswordEncoder(BCryptPasswordEncoder()) }
   

Result

java.lang.AssertionError: Status expected:<200> but was:<401>
Expected :200
Actual   :401

My test:

@SpringBootTest
@AutoConfigureMockMvc
internal class LoginControllerTest(
    @Autowired private val mockMvc: MockMvc,
    @Autowired private val userService: UserService,
) {
    private val loginUrl = "/login"
    private val email = """email@gmail.com"""
    private val principal = """{ "email": "$email", "password": "test" }"""


    @Test
    fun `login and logout`() {
        val result = mockMvc.perform(
            post(loginUrl).contentType(APPLICATION_JSON)
                .content(principal)
        )
            .andDo(MockMvcResultHandlers.print())
            .andExpect(status().isOk)
}

[wilkinsona]

@steklopod That does look like the same problem. If you haven't done so already, please try the workaround.