New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring Boot 3.2 app that uses WebFlux, Security, and Actuator may fail to start due to a missing authentication manager #39096
Comments
What version were you using previously?
If you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue. |
Edited*, will try to find some time tomorrow to set up something |
Update: Somehow I missed some conditionals so the entire SecurityConfig is not loaded. Then through auto configuration it leads to
What would be the recommended approach to conditionally disable security ? Define a web filter chain with permitAll, or disable some auto configurations ? |
It's hard to say. In your case, |
Created this demo project. |
Thank you. It works in 3.1.x due to the auto-configuration of a It does not work in 3.2.x due to #35338 which means that the This fix made in afad358 doesn't work here due to the auto-configuration ordering. The deny-all authentication manager is auto-configured by Lines 59 to 64 in d032b9d
For the purposes of Actuator security, I think we need to auto-configure a deny-all authentication manager when there's no |
Closed by 6ec56da. |
After migration to spring boot 3.2.1 (from 3.1.2) I'm facing the following issue:
Relevant dependencies:
Configuration file:
Codebase remains unchanged, aside from version upgrade.
The text was updated successfully, but these errors were encountered: