Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WebFlux and resource server auto-configuration may fail due to null authentication manager #38713

Closed
tgeens opened this issue Dec 8, 2023 · 6 comments
Assignees
Labels
type: regression A regression from a previous release
Milestone

Comments

@tgeens
Copy link

tgeens commented Dec 8, 2023

Running into issues with upgrading 3.1.6 project to 3.2.0, using webflux + oauth2-resource-server:

Caused by: java.lang.IllegalArgumentException: authenticationManager cannot be null
	at org.springframework.util.Assert.notNull(Assert.java:172)
	at org.springframework.security.web.server.authentication.AuthenticationWebFilter.<init>(AuthenticationWebFilter.java:94)
...

Looks very similar to #37504

To reproduce:

  • webflux + oauth-resource-server starters - Initializr link
  • run contextLoads() test

Looks like in 3.2 the ReactiveUserDetailsServiceAutoConfiguration backs off because of the @ConditionalOnMissingClass ReactiveOpaqueTokenIntrospector that oauth-resource-server brings along.
In my @SpringBootTests I don't have any resource server configured, I'm expecting it to fall back to the default WebFluxSecurityConfiguration, as it did in 3.1.6

Looking at this, there would be another problem when you have oauth2-login on the classpath, which brings along ClientRepository ?

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 8, 2023
@wilkinsona
Copy link
Member

wilkinsona commented Dec 8, 2023

Thanks for the report. It looks like the resource server-related auto-configurations are enabling web security in situations where they won't actually provide everything that's needed for that to succeed. We need to adjust the conditions on their WebSecurityConfiguration classes.

@wilkinsona wilkinsona added type: regression A regression from a previous release and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 8, 2023
@wilkinsona wilkinsona added this to the 3.2.1 milestone Dec 8, 2023
@wilkinsona wilkinsona changed the title Spring Boot 3.2 autoconfig: webflux + resource-server autoconfiguration crashes WebFlux and resource server auto-configuration may fail due to null authentication manager Dec 8, 2023
@wilkinsona wilkinsona modified the milestones: 3.2.1, 3.2.x Dec 8, 2023
@wilkinsona wilkinsona self-assigned this Dec 8, 2023
@wilkinsona wilkinsona modified the milestones: 3.2.x, 3.2.1 Dec 11, 2023
@tgeens
Copy link
Author

tgeens commented Dec 12, 2023

@wilkinsona I'm very surprised with this change, Spring Boot 3.2.1-SNAPSHOT suddenly backs off applying any security ?

Even if oauth2-resource server is not "properly configured", I still expect everything to fall back to the ReactiveUserDetailsServiceAutoConfiguration ?

Given the following test:

@Test
void testUnauthorized(ApplicationContext context) {
	var client = WebTestClient.bindToApplicationContext(context).build();
	client.get().uri("/").exchange().expectStatus().isUnauthorized();
}
  • Spring Boot 3.1.6: OK - HTTP 401
  • Spring Boot 3.2.0: FAIL - context fails to load
  • Spring Boot 3.2.1-SNAPSHOT: FAIL - HTTP 404

@wilkinsona
Copy link
Member

wilkinsona commented Dec 12, 2023

That's not this change, it's #35338 that is causing that to happen. It failed with 3.2.0 as it wasn't backing off correctly and things were being left in a partial, broken state.

If resource server is on the classpath but you're not actually using it in certain situations then, as described in the release notes, you should define your own user details service in those situations.

@tgeens
Copy link
Author

tgeens commented Dec 12, 2023

Thanks for the quick reply.

I realize #35338 is the original cause, but I'm not sure I understand. Should I open a new issue or do you consider this expected behaviour ?

@wilkinsona
Copy link
Member

It's the expected behavior in order to avoid the unwanted warning described in #35338 that's triggered when the in-memory user details service is configured.

@wilkinsona
Copy link
Member

As described in #38753, we need to find a better way to fix this.

@wilkinsona wilkinsona reopened this Dec 13, 2023
wilkinsona added a commit that referenced this issue Dec 13, 2023
ndwnu pushed a commit to ndwnu/nls-routing-map-matcher that referenced this issue Apr 10, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.apache.maven.plugins:maven-failsafe-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | patch | `3.2.0` -> `3.2.1` |

---

### Release Notes

<details>
<summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)</summary>

### [`v3.2.1`](https://github.com/spring-projects/spring-boot/releases/tag/v3.2.1)

[Compare Source](spring-projects/spring-boot@v3.2.0...v3.2.1)

#### 🐞 Bug Fixes

-   HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration [#&#8203;38880](spring-projects/spring-boot#38880)
-   META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error [#&#8203;38862](spring-projects/spring-boot#38862)
-   logging.include-application-name has no effect when using log4j2 [#&#8203;38847](spring-projects/spring-boot#38847)
-   Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0  [#&#8203;38839](spring-projects/spring-boot#38839)
-   Child context created with SpringApplicationBuilder runs parents runners [#&#8203;38837](spring-projects/spring-boot#38837)
-   getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack [#&#8203;38833](spring-projects/spring-boot#38833)
-   TestContainers parallel initialization doesn't work properly  [#&#8203;38831](spring-projects/spring-boot#38831)
-   Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections [#&#8203;38770](spring-projects/spring-boot#38770)
-   Multi-byte filenames in zip files can cause an endless loop in ZipString.hash [#&#8203;38751](spring-projects/spring-boot#38751)
-   Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 [#&#8203;38741](spring-projects/spring-boot#38741)
-   Custom binding converters are ignored when working with collection types [#&#8203;38734](spring-projects/spring-boot#38734)
-   WebFlux and resource server auto-configuration may fail due to null authentication manager [#&#8203;38713](spring-projects/spring-boot#38713)
-   It is unclear that Docker Compose services have not been started as one or more is already run...
ndwlocatieservices added a commit to ndwnu/nls-routing-map-matcher that referenced this issue Apr 16, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.apache.maven.plugins:maven-failsafe-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | patch | `3.2.0` -> `3.2.1` |

---

### Release Notes

<details>
<summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)</summary>

### [`v3.2.1`](https://github.com/spring-projects/spring-boot/releases/tag/v3.2.1)

[Compare Source](spring-projects/spring-boot@v3.2.0...v3.2.1)

#### 🐞 Bug Fixes

-   HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration [#&#8203;38880](spring-projects/spring-boot#38880)
-   META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error [#&#8203;38862](spring-projects/spring-boot#38862)
-   logging.include-application-name has no effect when using log4j2 [#&#8203;38847](spring-projects/spring-boot#38847)
-   Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0  [#&#8203;38839](spring-projects/spring-boot#38839)
-   Child context created with SpringApplicationBuilder runs parents runners [#&#8203;38837](spring-projects/spring-boot#38837)
-   getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack [#&#8203;38833](spring-projects/spring-boot#38833)
-   TestContainers parallel initialization doesn't work properly  [#&#8203;38831](spring-projects/spring-boot#38831)
-   Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections [#&#8203;38770](spring-projects/spring-boot#38770)
-   Multi-byte filenames in zip files can cause an endless loop in ZipString.hash [#&#8203;38751](spring-projects/spring-boot#38751)
-   Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 [#&#8203;38741](spring-projects/spring-boot#38741)
-   Custom binding converters are ignored when working with collection types [#&#8203;38734](spring-projects/spring-boot#38734)
-   WebFlux and resource server auto-configuration may fail due to null authentication manager [#&#8203;38713](spring-projects/spring-boot#38713)
-   It is unclear that Docker Compose services have not been started as one or more is already run...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: regression A regression from a previous release
Projects
None yet
Development

No branches or pull requests

3 participants