When we receive the response after calling a rest service, we wait for an error message to help get the problem’s origin. In this case, we got the correct code but the message was the one related to the status code: «server error». Where was our error message?
{
"timestamp": "<TIMESTAMP>",
"status": 500,
"message": "server error",
"path": "/"
}
We started to check the ResponseStatusExceptionResolver and if the problem was related to this class. In fact, we created a custom ResponseStatusExceptionResolver and put a test message in the response to be sure that we were sending the message:
response.sendError(500, "TEST MESSAGE");
Sadly, I received the same message: «server error». So we started to google for a solution and find that by putting in the properties file the property server.error.include-message=always, the Spring Boot will send our error message. But we had no luck. (https://stackoverflow.com/questions/62561211/spring-responsestatusexception-does-not-return-reason)
Then, we started to check the Javadoc of the following method HttpServletResponse#sendError(int,String):
«If an error-page declaration has been made for the web application corresponding to the status code passed in, it will be served back in preference to the suggested msg parameter and the msg parameter will be ignored.»
Maybe, the problem was related to the error page. The error message is right when it runs locally, it only fails if we activate the HTTP security in our remote servers.
We reached this question in Stackoverflow: https://stackoverflow.com/questions/70270993/error-response-body-is-empty-in-spring-boot-2-6 and got the following solution:
«If you permit access to the /error whitelabel page in your SecurityConfig it should work again. However, this seems to be a workaround as the issue is still in progress.»
The problem IS located in the security context of Spring. The error message is overwritten with the configuration in Spring Security so the message is lost and replaced with the standard error message of the status.
We have two solutions to resolve the problem: permitAll access to the error page or disable the errorPageSecurityInterceptor.
The issue for the first solution is ResponseStatusException no longer returning response body in 2.6.1 using spring security, but if you don’t want to allow access to the error pages, you should check this another issue Page with permitAll is no longer accessible via auto-configured MockMvc to disable an interceptor adding the following bean to your config:
@Bean
static BeanFactoryPostProcessor removeErrorSecurityFilter() {
return (beanFactory) ->
((DefaultListableBeanFactory)beanFactory).removeBeanDefinition("errorPageSecurityInterceptor");
}
This problem was reproduced in Spring Boot 2.7.1 with Spring Security. At different sites, developers complain about versions 2.5.7 or 2.6.x