Menu
We recently started using the @PreAuthorize annotation with our REST endpoints. It works great, however, I did have a question regarding the HTTP code returned when issuing a GET vs. a POST or PUT.
It appears that when a user is not authorized to access the controller's REST endpoint that the HTTP status returned is different for GET and PUT/POST.
So for example, if I have an endpoint that is a GET and has a @PreAuthorize annotation and the user doesn't have access, a 403 Forbidden is returned. This is what I expect.
If the same annotation is then placed on a controller method that is a POST or a PUT, the HTTP response is 405 Method Not Allowed (note that when properly authorized the POST/PUT method returns 200 as expected).
When stepping through the code you can see that the underlying security filter returns a 403, but in the POST/PUT scenario the status code is dropped/ignored and replaced with a 405, much like it does when a NullPointerExcpetion occurs in your controller code.
Is this the expected behavior or should a 403 Forbidden always be returned for users who do not have access to an end point?
848
For me the problem was inside the SecurityConfiguration.
By removing the line .and().exceptionHandling().accessDeniedPage("/access-denied") i got 403 Forbidden instead of 405 Method not allowed which is most probably what you would expect.
157
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
