Expected Behavior
when the request resolver doesn't match, the filter should have a handler for failure for the user to customize.
Current Behavior
an error 404 page appears because it's not managed, a simple redirect strategy would do it.
7.0.0-SNAPSHOT
Comment From: joaquinjsb
I can create a PR if needed.
Comment From: jzheaux
Thanks for the suggestion, @joaquinjsb.
The semantics of the request resolver returning null is that it is abstaining, not erroring. As such, the request handling implications of this:
if (!this.requestMatcher.matches(request)) {
chain.doFilter(request, response);
return;
}
are the same as this:
GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request);
if (generateRequest == null) {
chain.doFilter(request, response);
return;
}
IOW, if either of these does not match, then a downstream filter or servlet should handle the request. This is true in general of Spring Security filters as well, and a resulting 404 correctly indicates that your application is not handling requests like these.
You may want to consider adding something like:
.anyRequest().authenticated()
to your application so that this returns a 403 instead.
Comment From: joaquinjsb
thanks for the feedback, I'll apply a filter.
thanks!