Open NathanD001 opened 1 year ago
Thanks for the report, @NathanD001.
It's likely that what many folks want is the HTTP status returned instead of the exception, and it may be reasonable to have HttpStatusRequestRejectedHandler
become the default in the next major release, though it would need to remain as-is for now to maintain backward compatibility. I'll keep this ticket open and mark it as breaks-passivity
for that purpose.
As a separate issue I think the log level in HttpStatusRequestRejectedHandler should be changed to error.
Logging at DEBUG
is intentional. For the most part, Spring Security uses DEBUG
and TRACE
so as to not clutter up production logs. Instead of changing bumping that to ERROR
, please consider allowing that logging configuration in production if you want to always have it logged, for example logging.level.org.springframework.security.firewall.HttpStatusRequestRejectedHandler: DEBUG
.
@jzheaux I understand. Thank you for the fast response! Please let me know if/when you would like me to open a Pull Request.
Expected Behavior
DefaultRequestRejectedHandler should return HTTP 400 by default instead of having to implement a custom bean.
Sample request ->
curl --location --request GET 'http://localhost:8080/./' \ --header 'Content-Type: application/json' \ --header 'Accept-Language: en-us' \ --header 'Accept: application/json'
Should return ->
{ "timestamp": "2023-04-24T15:21:47.865+00:00", "status": 400, "error": "Internal Server Error", "path": "/./" }
Current Behavior
curl --location --request GET 'http://localhost:8080/./' \ --header 'Content-Type: application/json' \ --header 'Accept-Language: en-us' \ --header 'Accept: application/json'
Returns->
{ "timestamp": "2023-04-24T15:21:47.865+00:00", "status": 500, "error": "Internal Server Error", "path": "/./" }
Context
Currently the DefaultRequestRejectedHandler lets the RequestRejectedException bubble out and return an HTTP 500 and has no logging. I think a more accurate status code is HTTP 400. https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/DefaultRequestRejectedHandler.java#L37
I was also unable to use
HttpStatusRequestRejectedHandler
because the log level used is debug when I think the log level should be error. https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/HttpStatusRequestRejectedHandler.java#L59This required me to implement this workaround. Similar to a recommendation made here https://stackoverflow.com/questions/51788764/how-to-intercept-a-requestrejectedexception-in-spring
I do think this is low priority because there is a pretty simple workaround however I do think the correct status code is HTTP 400 so that should be the default behavior.
As a separate issue I think the log level in HttpStatusRequestRejectedHandler should be changed to error.
I'm also willing to open the Pull Request for this change if you consider this a valid enhancement. Please let me know. Thank you in advance!