status 403 returned instead of the original 413

[johanra]

Hello ,
I am using Micronaut 3.7.0 which uses micronaut-security 3.8.0
The setting micronaut.security.reject-not-found is configured to true by default.
Now I have a request that initially was returning 403, after setting micronaut.security.reject-not-found to false. The status returned turns out to actually be 413 (payload/request too large).
Based on the micronaut security docs I would expect that this setting only affects 404 and translate those into 403.
Is this a bug for which I should create an issue or is this setting supposed to convert more than 404 ?

Also is it possible to see the "original" status codes in the server logs whenever reject-not-found causes a translation ?

[sdelamo]

Also is it possible to see the "original" status codes in the server logs whenever reject-not-found causes a translation ?

Sure, we could add a log trace.

[sdelamo]

Now I have a request that initially was returning 403, after setting micronaut.security.reject-not-found to false. The status returned turns out to actually be 413 (payload/request too large).
Based on the micronaut security docs I would expect that this setting only affects 404 and translate those into 403.

Not sure I understand the issue you are describing. Do you have a sample app which reproduces the desired behaviour and the actual behaviour.

[johanra]

@sdelamo sorry for the late reply.
At that time I was investigating an issue in our micronaut application which was responding 401/403 to a client. As it turned out this was caused by a very big header that was send to the application. This wasn't easy to diagnose because the application was responding with a 401/403 code. It was only after changing the setting for micronaut.security.reject-not-found to false that I could see what actually was going on.

I have reproduced this problem in this sample project which has a DocumentController with a simple download GET endpoint. This project uses latest micronaut 3.8.5

To simulate the header problem I artificially decreased micronaut.server.netty.max-header-size: 1 in the application.yml of the project
micronaut.security.reject-not-found=true

curl --location --request GET 'localhost:8080/api/document/download' -u 'sherlock:password' --head
HTTP/1.1 401 Unauthorized
date: Tue, 21 Feb 2023 16:25:53 GMT
transfer-encoding: chunked
connection: close

micronaut.security.reject-not-found=false

curl --location --request GET 'localhost:8080/api/document/download' -u 'sherlock:password' --head
HTTP/1.1 413 Request Entity Too Large
Content-Type: application/json
content-length: 172
connection: close

I would expect micronaut.security.reject-not-found not to have any effect on the returned response code here

[sdelamo]

We respond 401 automatically by design. We do that to avoid giving information to a potential attacker, whether a route exists or not.

[johanra]

Maybe that could be clarified a bit more in the security documentation now the name of the switch and the documentation give the impression that only 404 routes are hidden in this way but apparently more response codes are. Maybe indicate which codes are covered by this setting.

Also would be great to see a warning in the log that contains the actual code when it is transformed into 401/403

[sdelamo]

Also would be great to see a warning in the log that contains the actual code when it is transformed into 401/403

Please, if you want to send a PR to clarify the docs or improve the logs it is welcome.