micronaut-security: Allow 404 global error to be displayed even with a security enabled
Steps to Reproduce
- Add a global 404 error
@Error(status = HttpStatus.NOT_FOUND, global = true)
- Enable security with
micronaut.security.enabled: true
- Add a controller with parameter like
@Secured(Role.ROLE_CONNECT_READ)
@Controller("/{cluster}/connect")
public class ConnectController {
- Try to reach every child page like
/test/connect/bla
- be redirected to unauthorized url
- Disabled security with
micronaut.security.enabled: false
- Try to reach the same page like
/test/connect/bla
- see the 404 page
Expected Behaviour
Security should not change the behavior off 404 page and must be check before security for some use case. The best will be to let user have an option to allow choose if you you want to have a 404 or a unauthorized response.
I think the better option is to allow 404 before unauthorized if the ErrorController is annotated with : @Secured(SecurityRule.IS_ANONYMOUS)
Environment Information
- Operating System: Docker alpine
- Micronaut Version: 1.1.0
- JDK Version: openjdk:8-jre-alpine
Example Application
Full source code is here on branch dev
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 1
- Comments: 15 (11 by maintainers)
That isn’t true. Authenticated requests to a resource that the user has access to but does not exist would result in a 404.
On Sat, Mar 28, 2020 at 4:26 PM J Lannoy notifications@github.com wrote: