Spring security always returns HTTP 403

Question

I have configured a custom Filter that grants a spring authority for every URL other than /login :

public class TokenFilter impleme         


        

Answer 1

Pretty old question but just in case someone stumble upon this post, an application had the same problem and it turns out to be an issue with @ControllerAdvice.

Basically, the setup was like this:

@ControllerAdvice
class MainController {

@PreAuthorize("...")
class AdminController extends MainController {

And for a strange reason, any controller extending from MainController would trigger the @PreAuthorize of the AdminController class even though there were no relationships between this controller and the latter.

In my case, it was an easy fix as removing the @ControllerAdvice was enough but if you need @ControllerAdvice, you might move the annotation to a class that is never used as a superclass.