Description
It isn't obvious when reading the Boot 2.x Migration Guide that one consequence of this:
The security auto-configuration no longer exposes options and uses Spring Security defaults as much as possible.
Is that, where /error was once public, it is now secured.
The Spring Boot Security 2.0 page does help by saying:
When Spring Security is on the classpath, the auto-configuration secures all endpoints by default.
But, it isn't clear to users who are migrating that this includes /error.
This has caused some confusion and heartburn for users that could be somewhat alleviated by calling it out.
Looks like there is already some of this in the guide:
One noticeable side effect of that is the use of Spring Security’s content negotiation for authorization (form login).
It may be valuable to add to the guide a bit of the rationale behind the change. Some users mistakenly believe that when they are proactively securing /error, that it is an icky workaround instead of the desired practice.
Here is some rationale that we could draw from:
- We should be secure by default. It was surprising that even though Spring Security secures every endpoint by default, somehow
/errorwasn't included in this. Spring Boot 2.0 is now secure by default, too, in that all endpoints, including/errornow respect the Spring Security default. - Also with
/errorit was the case that Spring Security wasn't invoked at all, meaning that things like secure headers, https redirects, and the like weren't consulted as part of the response.
I think that the nod to simpification already in the docs is a good one, too.