2.0 migration Guide should call out implications for /error #14474
Labels
type: wiki-documentation
A documentation update required on the wiki
Milestone
Comments
spring-projects-issues
added
the
status: waiting-for-triage
philwebb
added
the
type: wiki-documentation
|
NOTE: It is probably obvious, but in addition to |
snicoll
changed the title
snicoll
changed the title
|
I've added a note here about error and static resources. |
|
Could we add an example of how to do that? We might provide a way to ignore as was done in Boot 1.x but first propose they use permitAll (which is better because it allows access but enables other security features). |
|
I added a link in that section to the reference docs which has an example. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It isn't obvious when reading the Boot 2.x Migration Guide that one consequence of this:
Is that, where
/errorwas once public, it is now secured.The Spring Boot Security 2.0 page does help by saying:
But, it isn't clear to users who are migrating that this includes
/error.This has caused some confusion and heartburn for users that could be somewhat alleviated by calling it out.
Looks like there is already some of this in the guide:
It may be valuable to add to the guide a bit of the rationale behind the change. Some users mistakenly believe that when they are proactively securing
/error, that it is an icky workaround instead of the desired practice.Here is some rationale that we could draw from:
/errorwasn't included in this. Spring Boot 2.0 is now secure by default, too, in that all endpoints, including/errornow respect the Spring Security default./errorit was the case that Spring Security wasn't invoked at all, meaning that things like secure headers, https redirects, and the like weren't consulted as part of the response.I think that the nod to simpification already in the docs is a good one, too.
The text was updated successfully, but these errors were encountered: