Skip to content

Add URL to RequestRejectedException when rejecting requests #5107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
PatrickGotthard opened this issue Mar 13, 2018 · 5 comments
Closed

Add URL to RequestRejectedException when rejecting requests #5107

PatrickGotthard opened this issue Mar 13, 2018 · 5 comments
Assignees
Labels
status: duplicate A duplicate of another issue

Comments

@PatrickGotthard
Copy link

Summary

When a request gets rejected by the StrictHttpFirewall the URL will not be logged. So it's very hard to find out which client, frontend or else caused the issue.

Actual Behavior

When a request gets rejected by the StrictHttpFirewall the error message only states why a request was blocked but not which URL was called.

Expected Behavior

When a request gets blocked by the StrictHttpFirewall the exception should contain the URL which was called.

Version

spring-security-web 5.0.3.RELEASE

@rwinch
Copy link
Member

rwinch commented Mar 19, 2018

Thanks for the report. Is there a reason the server cares? I would think that the client would need to change behavior so it would know what request caused the error.

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Mar 19, 2018
@PatrickGotthard
Copy link
Author

PatrickGotthard commented Mar 19, 2018

Hi @rwinch,

my application is a monolith consisting of a REST backend with a few hundred REST endpoints and an ExtJS frontend. Since upgrading to Spring Boot 2 the application logged some RequestRejectedExceptions but I had no idea what caused the problem. Unfortunately the end users don't report every problem ;)

In the meantime I've installed a custom ServletFilter that logs the RequestRejectedExceptions together with the called URL but I think that Spring Security itself should log enough information to be able to analyze such exceptions.

Regards,
Patrick

@rwinch
Copy link
Member

rwinch commented Mar 19, 2018

Thanks for the additional information. I'm going to log this as a duplicate of #5007 which is already asking for an improved way to handle the RequestRejectedException

@rwinch rwinch closed this as completed Mar 19, 2018
@rwinch rwinch added status: duplicate A duplicate of another issue and removed status: waiting-for-feedback We need additional information before we can continue labels Mar 19, 2018
@rwinch rwinch self-assigned this Mar 19, 2018
@PatrickGotthard
Copy link
Author

Did you mean #5007 ? :)

@rwinch
Copy link
Member

rwinch commented Mar 19, 2018

Thanks updated my comment to make it easier to follow along

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Development

No branches or pull requests

2 participants