Make DefaultRequestRejectedHandler Return HTTP 400 by default

[NathanD001]

Expected Behavior

DefaultRequestRejectedHandler should return HTTP 400 by default instead of having to implement a custom bean.

Sample request ->

curl --location --request GET 'http://localhost:8080/./'
--header 'Content-Type: application/json'
--header 'Accept-Language: en-us'
--header 'Accept: application/json'

Should return ->

{
"timestamp": "2023-04-24T15:21:47.865+00:00",
"status": 400,
"error": "Internal Server Error",
"path": "/./"
}

Current Behavior

curl --location --request GET 'http://localhost:8080/./'
--header 'Content-Type: application/json'
--header 'Accept-Language: en-us'
--header 'Accept: application/json'

Returns->

{
"timestamp": "2023-04-24T15:21:47.865+00:00",
"status": 500,
"error": "Internal Server Error",
"path": "/./"
}

Context

Currently the DefaultRequestRejectedHandler lets the RequestRejectedException bubble out and return an HTTP 500 and has no logging. I think a more accurate status code is HTTP 400. https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/DefaultRequestRejectedHandler.java#L37

I was also unable to use HttpStatusRequestRejectedHandler because the log level used is debug when I think the log level should be error. https://github.com/spring-projects/spring-security/blob/main/web/src/main/java/org/springframework/security/web/firewall/HttpStatusRequestRejectedHandler.java#L59

This required me to implement this workaround. Similar to a recommendation made here https://stackoverflow.com/questions/51788764/how-to-intercept-a-requestrejectedexception-in-spring

@Log4j2
public class CustomRequestRejectedHandler implements RequestRejectedHandler {
  @Override
  public void handle(
      HttpServletRequest request,
      HttpServletResponse response,
      RequestRejectedException requestRejectedException)
      throws IOException, ServletException {
    log.error("Framework rejected request.", requestRejectedException);
    response.sendError(HttpStatus.SC_BAD_REQUEST);
  }
}

  @Bean
  public RequestRejectedHandler requestRejectedHandler() {
    return new CustomRequestRejectedHandler();
  }

I do think this is low priority because there is a pretty simple workaround however I do think the correct status code is HTTP 400 so that should be the default behavior.

As a separate issue I think the log level in HttpStatusRequestRejectedHandler should be changed to error.

I'm also willing to open the Pull Request for this change if you consider this a valid enhancement. Please let me know. Thank you in advance!

[jzheaux]

Thanks for the report, @NathanD001.

It's likely that what many folks want is the HTTP status returned instead of the exception, and it may be reasonable to have HttpStatusRequestRejectedHandler become the default in the next major release, though it would need to remain as-is for now to maintain backward compatibility. I'll keep this ticket open and mark it as breaks-passivity for that purpose.

As a separate issue I think the log level in HttpStatusRequestRejectedHandler should be changed to error.

Logging at DEBUG is intentional. For the most part, Spring Security uses DEBUG and TRACE so as to not clutter up production logs. Instead of changing bumping that to ERROR, please consider allowing that logging configuration in production if you want to always have it logged, for example logging.level.org.springframework.security.firewall.HttpStatusRequestRejectedHandler: DEBUG.

[NathanD001]

@jzheaux I understand. Thank you for the fast response! Please let me know if/when you would like me to open a Pull Request.