natetyler
commented
8 years ago I solved this by wrapping SpnegoAuthenticationProcessingFilter in a OncePerRequestFilter. I don't know if it makes sense to do this by default or not, but I can't imagine you'd want this filter applied more than once to a single request.
ItamarBenjamin
martinvlk
With default Spring Boot configuration, if there is an error during Kerberos ticket validation or granted authorities population, the request will be forwarded to /error. After the forward, the SpnegoAuthenticationProcessingFilter will act on the request again, because the "Negotiate" header is still present on the request. Because that request has already been validated, it will throw "Request is a replay." This prevents the BasicErrorController from handling the error, instead kicking the original exception out to the container, and displaying the "request is a replay" exception in the log.