Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix registration of SecurityExceptionHandling controller advice #802

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix registration of SecurityExceptionHandling controller advice #802

wants to merge 4 commits into from
+171 −98

Conversation

xak2000
Copy link

@xak2000 xak2000 commented Aug 10, 2022
edited

Description

Fix bug introduced in PR #413. Default SecurityExceptionHandling controller advice is not registered in an application.

See #707 (comment) for the detailed explanation.

Motivation and Context

Fixes #707, #541.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.

@xak2000
Move all test classes to a sibling package
b6fda5e 
When test classes live in the same package, where auto-configuration classes
under test also live, these tests are not pure anymore because they are under
the same component scan, as main classes. This component scan could create
beans and other entities that are not supposed to be created and will not be
created in a real application that will use problem-spring-web-autoconfigure
module.

This commit moves all test classes into a sibling package, so component scan
will not find any components from the main code, and container will contain
only beans created by auto-configurations.
@xak2000
Fix registration of SecurityExceptionHandling controller advice
3794c35 
When bean-factory method returns `AdviceTrait` interface that is not directly
annotated with `@ControllerAdvice`, Spring doesn't register this bean
as controller advice, so all `@ExceptionHander`s it provides are also
not registered.

This happens probably because of ordering between beans instantiation and
registration of controller advices in Spring MVC.

This commit changes the return type of bean-factory methods to a more concrete
type, that is directly annotated with `@ControllerAdvice` annotation.
This makes Spring always find the `@ControllerAdvice` annotation and
properly register these controller advices and any exception handlers
they contain.
@xak2000
Improve testing of configuration of exception handling
2e2364d 
Previously the test only checked that ExceptionHandling bean is present
in the context. But the presense of the bean doesn't mean the controller advice
and associated exception handlers are registered in Spring MVC.

Now the test will also check if HTTP request is really handled by one of
problem-spring-web exception handlers.
@xak2000
Add test for @ResponseStatus and Content-Type handling
239871c 
Verifies zalando#541
@xak2000 xak2000 mentioned this pull request Aug 18, 2022
Closed
@MALPI MALPI requested a review from danielrohe January 12, 2023 08:23
@Farley-Chen
Copy link

Recently I want to use this lib found the same bug.

The reason is as you say, when spring find annotation on bean which hasn't been loaded, it uses the type of the bean declare.

Change the return type is just the best solution as you mention. So good

But why the pull request haven't been accepted yet?

A little question, I think public is not necessary maybe?

@Farley-Chen
Copy link

I have a more question.

I found that ProblemHttpConfigurer.java and ProblemSecurityAutoConfiguration.java are for the same purpose to register the SecurityProblemSupport.

Are they duplicate? or I misunderstanding?

@xak2000
Copy link
Author

xak2000 commented May 10, 2023

A little question, I think public is not necessary maybe?

public is required because integration tests for these autoconfigurations are in the separate sibling package now, and these tests access these types. Mybe it's possible to change these tests somehow to not directly access these classes.

@xak2000
Copy link
Author

xak2000 commented May 10, 2023
edited

But why the pull request haven't been accepted yet?

I don't know. Without this fix autoconfiguration just doesn't work in any version after 0.25.2.

The workaround it simple, though: create your own @ControllerAdvice, that implements ProblemHandling and SecurityAdviceTrait:

@ControllerAdvice
final class SecurityExceptionHandling implements ProblemHandling, SecurityAdviceTrait {
}

@davidkarlsen
Copy link

Any update?

@davidkarlsen
Copy link

@MALPI You seem to be active on the code-base. This issue is a bit iffy - could a fix be merged onto main and a do a release? It's not so good to have to create a hack config class in own package:

@ControllerAdvice
final class Hack implements ProblemHandling, SecurityAdviceTrait {}

in all apps just to work around it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@whiskeysierra whiskeysierra Awaiting requested review from whiskeysierra

@lukasniemeier-zalando lukasniemeier-zalando Awaiting requested review from lukasniemeier-zalando

@AlexanderYastrebov AlexanderYastrebov Awaiting requested review from AlexanderYastrebov

@danielrohe danielrohe Awaiting requested review from danielrohe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fails to work with Spring Security after upgrading to Spring Boot 2.5
3 participants
@xak2000 @Farley-Chen @davidkarlsen