Spring-cloud-netflix: Ribbon error (e.g. downstream 404 or timeout) in Zuul proxy bypasses normal Spring Boot error handling
The response is probably being manipulated directly somewhere, so the tomcat error page shows up (HTML) instead of the normal Spring Boot one (JSON).
dsyer
All 6 comments
I can't reproduce this now. Leaving it open in case it pops back again.
dsyer
on 3 Mar 2016
I've reproduced bug using Spring Cloud Brixton.RC1 + Spring Boot 1.3.3.RELEASE + Spring Security. Here is an example:
STR:
- Just clone project https://github.com/leofromgroza/zuul-server
- Start Spring Boot Application.
- Open URL http://localhost:8765/dummy/ (credentials -> user:password) and you will see standard Tomcat error page.
Turn Spring Security off:
- Comment Spring Security dependency in pom.xml file
- Comment security configuration in application.yml.
Restart app and open URL http://localhost:8765/dummy/ - you will see custom error page.
I debugged program and found that if Spring Security is turned on - app wraps javax.servlet.AsyncContext into org.springframework.security.web.servletapi.HttpServlet3RequestFactory$SecurityContextAsyncContext and Tomcat does not commit Response in method org.apache.catalina.core.ApplicationDispatcher#doForward because of check in line 394.
Also I found that if error happened and response is not committed Tomcat default behavior is to create his own error page: org.apache.catalina.valves.ErrorReportValve#invoke
leofromgroza
on 30 Mar 2016
Thanks for the sample app. I raised a ticket in Spring Security for that specific problem (which only seems to show up when you have a custom error handler as you do): https://github.com/spring-projects/spring-security/issues/3780.
I also noticed while investigating this that if there is an error rendering the custom error page you get the same effect.
dsyer
on 1 Apr 2016
@leofromgroza Thanks for the detailed walk through! This appears to be a bug in Tomcat. However, the workaround was simple so I pushed a fix to master. Please see https://github.com/spring-projects/spring-security/issues/3780#issuecomment-204427591 for additional details (including a link to the bug report I filed with Tomcat).
rwinch
on 1 Apr 2016
@dsyer @rwinch Thank you guys for so fast reaction. You are really cool! I felt the real power of open source;) Thank you!
leofromgroza
on 2 Apr 2016
@dsyer are we still tracking this here or can we close it?
spencergibb
on 9 May 2016
Related issues
PatrikSteuer
路
3Comments
hotblac
路
3Comments
sprgn
路
3Comments
Alvise88
路
3Comments
lucaGazzola
路
3Comments
Most helpful comment
Thanks for the sample app. I raised a ticket in Spring Security for that specific problem (which only seems to show up when you have a custom error handler as you do): https://github.com/spring-projects/spring-security/issues/3780.
I also noticed while investigating this that if there is an error rendering the custom error page you get the same effect.