Preventing spring-security to redirect invalid urls to login page

Question

I\'ve setup a spring-boot + spring-mvc + spring-security project.

Everything work as expected right now except for the invalid urls.

If I issue:

Answer 1

This is a security feature, not a problem.

Your security model is "deny all unless explicitly allowed". If a request path is protected (i.e. doesn't match an explicitly permitAll path), then you would not want to reveal that it does not exist until the user was authenticated. In certain situations the 404 could leak private information

.../user/jones is 404? Hmm... something happened to Jones

This is the reason well designed login forms don't tell you "user not found" or "invalid password", and instead just say "invalid credentials" in all failure cases to avoid giving away too much.

The only way to get invalid URLs to bypass security would be to invert your security model, making everything public unless explicitly protected ("allow unless explicitly prohibited"). Which has its own set of issues, such as having to remember to update the definition every time a new root path is created.