Description
Springboot version
2.3.4.RELEASE
Jetty version
jetty-9.4.31.v20200723; built: 2020-07-23T17:57:36.812Z; git: 450ba27947e13e66baa8cd1ce7e85a4461cacc1d; jvm 15+36-1562
Java version
OpenJDK Runtime Environment (build 15+36-1562)
OS type/version
Windows 10
Description
Hi,
first of all I'm not sure if this is Jetty issue or spring.
I have bearer protected app. I have set Multipart max file size and max request size to 10mb.
MultipartConfigFactory factory = new MultipartConfigFactory(); factory.setMaxFileSize(DataSize.ofMegabytes(10)); factory.setMaxRequestSize(DataSize.ofMegabytes(10)); return factory.createMultipartConfig();
Authorization header is correctly set as everything works for files under the limit.
But when I try to upload a file bigger than that jetty (correctly) throws exception
if (MultiPartInputStreamParser.this._config.getMaxFileSize() > 0 && _size + 1 > MultiPartInputStreamParser.this._config.getMaxFileSize()) throw new IllegalStateException("Multipart Mime part " + _name + " exceeds max filesize");
This later gets mapped to BadMessageException
org.eclipse.jetty.server.HttpChannel [qtp765329253-31] handleException /my-path org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
I would expect 400 code here as I need to notify client that he tried to upload too big file.
But the app returns 401 Unauthorized.
This jetty exception happens when BearerTokenAuthenticationFilter calls DefaultBearerTokenResolver.resolve.
BearerTokenAuthenticationEntryPoint receives authException InsufficientAuthenticationException "Full authentication is required to access this resource" hence 401.
401 is wrong, seems like jetty exception leads to failure to obtain Authorization header.
My guess this is bug on spring. Any workaround this so I would return 400 in case of BadMessageException?