Use apache httpclient send request with header(content-type=application/x-protobuf) wihout Authorization header to visit LDAP protect resource, should not return 406 not acceptable [SPR-14493]

[spring-projects-issues]

Alex J K Lin opened SPR-14493 and commented

One project use spring boot, spring security. In the controller it use @PreAuthorize("hasAnyRole(xxx)) to control the access to the Rest interface.

If use apache httpclient send request with header(content-type=application/x-protobuf) and without set the BasicHeader("Authorization", "Basic " + username: password),

it will return status code: 406, status reason: not acceptable.

I think it should return status code: 401 status reason: Unauthorized

I write a ProtobufErrorHttpMessageConverter extends AbstractJackson2HttpMessageConverter to register.

public ProtobufErrorHttpMessageConverter(final ObjectMapper objectMapper) {
    super(objectMapper, new MediaType("application", "x-protobuf", DEFAULT_CHARSET));
}

to fix that issue.

but i think if the framework can handle that situation is better, don't need to write one custom MessgeConver.

I also meet another issue, it will have warn message in the log:

WARN messages.ProtobufErrorHttpMessageConverter - Failed to evaluate deserialization for type [simple type, class com..messagesProto$Request]: com.fasterxml.jackson.databind.JsonMappingException: Can not find a (Map) Key deserializer for type [simple type, class com.google.protobuf.Descriptors$FieldDescriptor]

Fortunately, it has fixed in #18735.

---

No further details from SPR-14493

[spring-projects-issues]

Brian Clozel commented

I believe this issue belongs to Boot and is a duplicate of #2827. The object you're trying to serialize here is the error object provided by Boot, which is not a protobuf message.

This issue will be dealt with in Spring Boot. Please reopen this issue if you think this ticket is about something else and/or voice your opinion on the Boot issue tracker.

Thanks for the report!