I have a spring jersey based web application which is currently running on spring version 5.0. It does not have any UI. It exposes only REST API endpoints for it's clients to consume them. It is running on Tomcat 9 now. Authentication happens using SSL mutual auth (client and server certificates). spring-security intercepts the incoming requests and applies the logic written in custom auth providers. spring-security configuration is there in a custom xml file as shown below.
<security:http auto-config='true' authentication-manager-ref="authenticationManager" create-session="stateless">
<security:intercept-url pattern="/order-mgmt/v1/*" access="hasAnyRole('ROLE_MUTUAL')"/>
<security:intercept-url pattern="/order-mgmt/v2/*" access="hasAnyRole('ROLE_MUTUAL')"/>
<security:custom-filter ref="customAuthFilter" />
<security:csrf disabled="true" />
</security:http>
Problem is after I upgraded my spring framework to version 6 and tomcat to version 10 any API call (/order-mgmt/v1/* or /order-mgmt/v2/*) to my application is getting redirected (http status 302) to some /login screen by spring-security and then it fails with http status 404. I am seeing the 302 re-direction and 404 error in my tomcat's access logs I don't have any login page and neither I want to introduce any such screen. This is a very strange behaviour and totally blocking me in my work. Any help is highly appreciated.