WebFlux and resource server auto-configuration may fail due to null authentication manager #38713
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the report. It looks like the resource server-related auto-configurations are enabling web security in situations where they won't actually provide everything that's needed for that to succeed. We need to adjust the conditions on their |
wilkinsona
added
type: regression
wilkinsona
changed the title
|
@wilkinsona I'm very surprised with this change, Spring Boot 3.2.1-SNAPSHOT suddenly backs off applying any security ? Even if oauth2-resource server is not "properly configured", I still expect everything to fall back to the Given the following test:
|
|
That's not this change, it's #35338 that is causing that to happen. It failed with 3.2.0 as it wasn't backing off correctly and things were being left in a partial, broken state. If resource server is on the classpath but you're not actually using it in certain situations then, as described in the release notes, you should define your own user details service in those situations. |
|
Thanks for the quick reply. I realize #35338 is the original cause, but I'm not sure I understand. Should I open a new issue or do you consider this expected behaviour ? |
|
It's the expected behavior in order to avoid the unwanted warning described in #35338 that's triggered when the in-memory user details service is configured. |
|
As described in #38753, we need to find a better way to fix this. |
ndwnu
pushed a commit
to ndwnu/nls-routing-map-matcher
that referenced
this issue
Apr 10, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` | | [org.apache.maven.plugins:maven-failsafe-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` | | [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | patch | `3.2.0` -> `3.2.1` | --- ### Release Notes <details> <summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)</summary> ### [`v3.2.1`](https://github.com/spring-projects/spring-boot/releases/tag/v3.2.1) [Compare Source](spring-projects/spring-boot@v3.2.0...v3.2.1) #### 🐞 Bug Fixes - HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration [#​38880](spring-projects/spring-boot#38880) - META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error [#​38862](spring-projects/spring-boot#38862) - logging.include-application-name has no effect when using log4j2 [#​38847](spring-projects/spring-boot#38847) - Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0 [#​38839](spring-projects/spring-boot#38839) - Child context created with SpringApplicationBuilder runs parents runners [#​38837](spring-projects/spring-boot#38837) - getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack [#​38833](spring-projects/spring-boot#38833) - TestContainers parallel initialization doesn't work properly [#​38831](spring-projects/spring-boot#38831) - Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections [#​38770](spring-projects/spring-boot#38770) - Multi-byte filenames in zip files can cause an endless loop in ZipString.hash [#​38751](spring-projects/spring-boot#38751) - Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 [#​38741](spring-projects/spring-boot#38741) - Custom binding converters are ignored when working with collection types [#​38734](spring-projects/spring-boot#38734) - WebFlux and resource server auto-configuration may fail due to null authentication manager [#​38713](spring-projects/spring-boot#38713) - It is unclear that Docker Compose services have not been started as one or more is already run...
ndwlocatieservices
added a commit
to ndwnu/nls-routing-map-matcher
that referenced
this issue
Apr 16, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` | | [org.apache.maven.plugins:maven-failsafe-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` | | [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | patch | `3.2.0` -> `3.2.1` | --- ### Release Notes <details> <summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)</summary> ### [`v3.2.1`](https://github.com/spring-projects/spring-boot/releases/tag/v3.2.1) [Compare Source](spring-projects/spring-boot@v3.2.0...v3.2.1) #### 🐞 Bug Fixes - HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration [#​38880](spring-projects/spring-boot#38880) - META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error [#​38862](spring-projects/spring-boot#38862) - logging.include-application-name has no effect when using log4j2 [#​38847](spring-projects/spring-boot#38847) - Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0 [#​38839](spring-projects/spring-boot#38839) - Child context created with SpringApplicationBuilder runs parents runners [#​38837](spring-projects/spring-boot#38837) - getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack [#​38833](spring-projects/spring-boot#38833) - TestContainers parallel initialization doesn't work properly [#​38831](spring-projects/spring-boot#38831) - Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections [#​38770](spring-projects/spring-boot#38770) - Multi-byte filenames in zip files can cause an endless loop in ZipString.hash [#​38751](spring-projects/spring-boot#38751) - Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 [#​38741](spring-projects/spring-boot#38741) - Custom binding converters are ignored when working with collection types [#​38734](spring-projects/spring-boot#38734) - WebFlux and resource server auto-configuration may fail due to null authentication manager [#​38713](spring-projects/spring-boot#38713) - It is unclear that Docker Compose services have not been started as one or more is already run...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Running into issues with upgrading 3.1.6 project to 3.2.0, using webflux + oauth2-resource-server:
Looks very similar to #37504
To reproduce:
contextLoads()testLooks like in 3.2 the
ReactiveUserDetailsServiceAutoConfigurationbacks off because of the@ConditionalOnMissingClass ReactiveOpaqueTokenIntrospectorthat oauth-resource-server brings along.In my
@SpringBootTests I don't have any resource server configured, I'm expecting it to fall back to the defaultWebFluxSecurityConfiguration, as it did in 3.1.6Looking at this, there would be another problem when you have oauth2-login on the classpath, which brings along
ClientRepository?The text was updated successfully, but these errors were encountered: