401 instead of 403 with Spring Boot 2

by

Heads up

By default Spring Boot 2 will return 401 when spring-boot-starter-security is added as a dependency and an unauthorized request is performed.

This may change if you place some custom configurations to modify the security mechanism behavior. If that’s the case and you truly need to force the 401 status, then read the below original post.

Original Post

The class org.springframework.boot.autoconfigure.security.Http401AuthenticationEntryPoint was removed in favor of org.springframework.security.web.authentication.HttpStatusEntryPoint.

In my case the code would go like this:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        //...
        http.exceptionHandling()
            .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
        //...
    }
}

Bonus

If you need to return some information in the response body or customize the response somehow you can do something like this:

1- Extend AuthenticationEntryPoint

public class MyEntryPoint implements AuthenticationEntryPoint {
    private final HttpStatus httpStatus;
    private final Object responseBody;

    public MyEntryPoint(HttpStatus httpStatus, Object responseBody) {
        Assert.notNull(httpStatus, "httpStatus cannot be null");
        Assert.notNull(responseBody, "responseBody cannot be null");
        this.httpStatus = httpStatus;
        this.responseBody = responseBody;
    }

    @Override
    public final void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException {
        response.setStatus(httpStatus.value());

        try (PrintWriter writer = response.getWriter()) {
            writer.print(new ObjectMapper().writeValueAsString(responseBody));
        }
    }
}

2- Provide an instance of MyEntryPoint to the security configuration

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // customize your response body as needed
        Map<String, String> responseBody = new HashMap<>();
        responseBody.put("error", "unauthorized");

        //...
        http.exceptionHandling()
            .authenticationEntryPoint(new MyEntryPoint(HttpStatus.UNAUTHORIZED, responseBody));
        //...
    }
}

More Related Contents:

  1. Filter invoke twice when register as Spring bean
  2. Spring security CORS Filter
  3. Spring Security Configuration – HttpSecurity vs WebSecurity
  4. Spring Boot 2.0.x disable security for certain profile
  5. How to disable ‘X-Frame-Options’ response header in Spring Security?
  6. How to enable HTTP response caching in Spring Boot
  7. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  8. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  9. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  10. Securing Spring Boot API with API key and secret
  11. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  12. How do I disable resolving login parameters passed as url parameters / from the url
  13. How do I add method based security to a Spring Boot project?
  14. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  15. Disable HTTP OPTIONS method in spring boot application
  16. Single role multiple IP addresses in Spring Security configuration
  17. disabling spring security in spring boot app [duplicate]
  18. Disabling a filter for only a few paths
  19. Spring Boot Microservices – Spring Security – ServiceTest and ControllerTest for JUnit throwing java.lang.StackOverflowError
  20. Spring Boot Configure and Use Two DataSources
  21. How can I log SQL statements in Spring Boot?
  22. How to configure embedded Tomcat integrated with Spring to listen requests to IP address, besides localhost?
  23. Springfox 3.0.0 is not working with Spring Boot 2.6.0 [duplicate]
  24. Don’t spring-boot-starter-web and spring-boot-starter-webflux work together?
  25. Unit testing with Spring Security
  26. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  27. @PathVariable in SpringBoot with slashes in URL
  28. Integration Test with Spring Boot and Spock
  29. SpringBoot doesn’t handle org.hibernate.exception.ConstraintViolationException
  30. Mono switchIfEmpty() is always called

Leave a Comment