Spring security 5 "Bad credentials" exception not shown with errorDetails

[fred01]

Summary

I'm just switch from Spring Boot 1.5.4 to 2.0.0.BUILD-SNAPSHOT. Most functionality migrate seamless, but i meet strange behavior of BadCredentialsException handling. In Spring 4 it was show as all other exceptions, like

{
    "error": "Unauthorized",
    "message": "Bad credentials",
    "path": "/v1/admin/users",
    "status": 401,
    "timestamp": "2017-07-25T10:53:13+0000"
}

But now just empty response with code 401 produced. All other spring security exceptions like "Forbidden" shown as expected in JSON.

Actual Behavior

Just

HTTP/1.1 401

on BadCredentialsException

Expected Behavior

Full JSON body

{
    "error": "Unauthorized",
    "message": "Bad credentials",
    "path": "/v1/admin/users",
    "status": 401,
    "timestamp": "2017-07-25T10:53:13+0000"
}

on BadCredentialsException

Configuration

Only default spring security properties, no additional properties set

Version

Spring Boot 2.0.0 SNAPSHOT, Spring Framework 5.0.0.M3

Sample

Sorry, part of production project

[fred01]

Solved by myself. In Spring Security 5.0 necessary to permit all access to /error endpoint, for all http methods

[mzgg]

Hello, I have same problem, Could you explain that how are solve that in detail

[fred01]

Hi!
Actually it's Spring Boot 2 related issue, so i close it here.
I meet this problem twice.
First time i solved it by adding
.antMatchers("/error").permitAll()
Sometime later new Spring Boot 2 milestone broke it again. and second time it was broken completely. I make workaround then, but it was worst solution even i did. I'd intercept Spring Boot error controller and replace error in response.

[otidh]

Thanks. Your workaround works for me.

[jzheaux]

Actually, this was a proactive decision in the 2.x release of Boot, though I think we should do a better job of explaining the rationale (for which I've just logged a ticket to the Boot team).

The ticket also includes some of the reasoning, too, but I'll briefly summarize here:

• Spring Security secures all endpoints by default. (You can see this is the case by looking at the default implementation of configure in WebSecurityConfigurerAdapter). It was surprising (and less secure) that somehow /error wasn't included in the set of "all endpoints".
• And the way that Spring Boot excluded /error from Spring Security was actually to bypass the filter chain altogether, meaning that secure headers, https redirect, and other important security protections were not invoked.

So, actually, yes, if you want the Spring Boot /error page to be permitted, then it is more secure for you to declaratively say so. This makes it clear in your app what security allowances you are making.

[bhartishradha]

HI

I recently did upgrade of spring boot 2.1.7 and suddently I was not getting any error message ..I found some idea with this issue
so to fix this ..i have given this
antMatchers("/error").permitAll()
but now I m getting the error message but message are coming different
so previously before upgrade when i was putting wrong username/pwd ...the response was
{
"timestamp": 1571049553776,
"status": 401,
"error": "Unauthorized",
"message": "Authentication Failed: {"errorCode":"52e","adminMail":"System Administrator","role":[]}",
"path": "/login/auth"
}
and now after upgrade,this is the response
{
"timestamp": "2019-10-14T10:40:37.651+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/login/auth"
}

Let me know if somebody can help me for this

[tjmjansen]

HI

I recently did upgrade of spring boot 2.1.7 and suddently I was not getting any error message ..I found some idea with this issue
so to fix this ..i have given this
antMatchers("/error").permitAll()
but now I m getting the error message but message are coming different
so previously before upgrade when i was putting wrong username/pwd ...the response was
{
"timestamp": 1571049553776,
"status": 401,
"error": "Unauthorized",
"message": "Authentication Failed: {"errorCode":"52e","adminMail":"System Administrator","role":[]}",
"path": "/login/auth"
}
and now after upgrade,this is the response
{
"timestamp": "2019-10-14T10:40:37.651+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/login/auth"
}

Let me know if somebody can help me for this

I have the same issue, did you find a solution?

[bhartishradha]

HI
I recently did upgrade of spring boot 2.1.7 and suddently I was not getting any error message ..I found some idea with this issue
so to fix this ..i have given this
antMatchers("/error").permitAll()
but now I m getting the error message but message are coming different
so previously before upgrade when i was putting wrong username/pwd ...the response was
{
"timestamp": 1571049553776,
"status": 401,
"error": "Unauthorized",
"message": "Authentication Failed: {"errorCode":"52e","adminMail":"System Administrator","role":[]}",
"path": "/login/auth"
}
and now after upgrade,this is the response
{
"timestamp": "2019-10-14T10:40:37.651+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/login/auth"
}
Let me know if somebody can help me for this

I have the same issue, did you find a solution?

No ..
I am still trying to find the solution

[bhartishradha]

HI
I recently did upgrade of spring boot 2.1.7 and suddently I was not getting any error message ..I found some idea with this issue
so to fix this ..i have given this
antMatchers("/error").permitAll()
but now I m getting the error message but message are coming different
so previously before upgrade when i was putting wrong username/pwd ...the response was
{
"timestamp": 1571049553776,
"status": 401,
"error": "Unauthorized",
"message": "Authentication Failed: {"errorCode":"52e","adminMail":"System Administrator","role":[]}",
"path": "/login/auth"
}
and now after upgrade,this is the response
{
"timestamp": "2019-10-14T10:40:37.651+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/login/auth"
}
Let me know if somebody can help me for this

I have the same issue, did you find a solution?

HI
I wrote a customefailure handler and with that it worked

[tjmjansen]

How did you do that? I tried but exceptions are still coming out in the same manner

[rubensa]

I'm facing this problem too.
The most unexpected behavior is that if user credentials are not included at all then a 401 Unauthorized response that includes JSON response (like with any exception) is returned, but if wrong credentials are provided then a 401 Unauthorized is returned but without any JSON.
I think this is not very "consistent" behavior.

[bhartishradha]

no it wokred after applying some code.
let me forward that code