Basic auth is not working on lambda with Spring Boot

[Defozo]

• Framework version: v2.0.0.RELEASE
• Implementations: Spring Boot

Scenario

This is my SecurityConfiguration class:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity.csrf().disable()
                .authorizeRequests().anyRequest().authenticated()
                .and().httpBasic();

    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder authentication)
            throws Exception
    {
        authentication.inMemoryAuthentication()
                .withUser("admin")
                .password(passwordEncoder().encode("fsdiojoigjsdoif"))
                .authorities("ROLE_USER");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

Expected behavior

When I run the project locally it properly shows basic auth and I can authenticate and access my endpoints.

Actual behavior

However, when I deploy it to Lambda it returns HTTP code 500 and prints this:

START RequestId: 298ebee0-275a-4618-96f6-c9535fd0179b Version: $LATEST
13:18:45.132 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 0-characterEncodingFilter
13:18:45.133 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 1-errorPageFilter
13:18:45.133 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 2-springSecurityFilterChain
13:18:45.134 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.134 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.134 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.134 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.135 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.136 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
Sep 10, 2019 1:18:45 PM org.springframework.boot.web.servlet.support.ErrorPageFilter forwardToErrorPage
SEVERE: Forwarding to error page from request [/api/user/add] due to exception [null]
java.lang.NullPointerException
at org.springframework.security.web.savedrequest.HttpSessionRequestCache.saveRequest(HttpSessionRequestCache.java:59)
at org.springframework.security.web.access.ExceptionTranslationFilter.sendStartAuthentication(ExceptionTranslationFilter.java:208)
at org.springframework.security.web.access.ExceptionTranslationFilter.handleSpringSecurityException(ExceptionTranslationFilter.java:182)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:138)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
at com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder.doFilter(FilterChainHolder.java:84)
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:115)
at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:59)
at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:90)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:108)
at com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder.doFilter(FilterChainHolder.java:84)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder.doFilter(FilterChainHolder.java:84)
at com.amazonaws.serverless.proxy.internal.servlet.AwsLambdaServletContainerHandler.doFilter(AwsLambdaServletContainerHandler.java:215)
at com.amazonaws.serverless.proxy.spring.SpringBootLambdaContainerHandler.handleRequest(SpringBootLambdaContainerHandler.java:154)
at com.amazonaws.serverless.proxy.spring.SpringBootLambdaContainerHandler.handleRequest(SpringBootLambdaContainerHandler.java:52)
at com.amazonaws.serverless.proxy.internal.LambdaContainerHandler.proxy(LambdaContainerHandler.java:163)
at com.amazonaws.serverless.proxy.internal.LambdaContainerHandler.proxyStream(LambdaContainerHandler.java:198)
at com.example.cognitouseradd.StreamLambdaHandler.handleRequest(StreamLambdaHandler.java:34)
at lambdainternal.EventHandlerLoader$2.call(EventHandlerLoader.java:888)
at lambdainternal.AWSLambda.startRuntime(AWSLambda.java:293)
at lambdainternal.AWSLambda.<clinit>(AWSLambda.java:64)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at lambdainternal.LambdaRTEntry.main(LambdaRTEntry.java:114)
13:18:45.137 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 0-characterEncodingFilter
13:18:45.137 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 1-errorPageFilter
13:18:45.137 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 2-springSecurityFilterChain
13:18:45.138 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.138 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.138 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.138 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Starting REQUEST: filter 3-com.amazonaws.serverless.proxy.internal.servlet.FilterChainManager$ServletExecutionFilter
13:18:45.138 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.157 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletResponse - Response buffer flushed with 128 bytes, latch=1
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletRequest - Trying to access session. Lambda functions are stateless and should not rely on the session
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Executed REQUEST: filter 4-com.amazonaws.serverless.proxy.internal.servlet.FilterChainManager$ServletExecutionFilter
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Executed REQUEST: filter 4-springSecurityFilterChain
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Executed REQUEST: filter 4-errorPageFilter
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Executed REQUEST: filter 4-characterEncodingFilter
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.AwsHttpServletResponse - Response buffer flushed with 128 bytes, latch=0
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Executed REQUEST: filter 2-errorPageFilter
13:18:45.158 [main] DEBUG com.amazonaws.serverless.proxy.internal.servlet.FilterChainHolder - Executed REQUEST: filter 2-characterEncodingFilter
13:18:45.158 [main] INFO com.amazonaws.serverless.proxy.internal.LambdaContainerHandler - 83.144.98.130 - [10/09/2019:13:18:45Z] "POST /error HTTP/1.1" 500 128 "-" "PostmanRuntime/7.15.2" combined
END RequestId: 298ebee0-275a-4618-96f6-c9535fd0179b
REPORT RequestId: 298ebee0-275a-4618-96f6-c9535fd0179b Duration: 27.63 ms Billed Duration: 100 ms Memory Size: 2048 MB Max Memory Used: 280 MB
XRAY TraceId: 1-5d77a2b5-55b4eca49658117b6945c9ee SegmentId: 3b064a9d05f901d4 Sampled: true

[sapessi]

I suspect the issue is caused by Spring Security trying to instantiate a session. We do not support sessions in the framework because of the stateless nature of Lambda. Take a look at how we configure SpringSecurity in our unit tests here. We also implemented additional fixes in the core branch to address #275 - they will go out with the next release over the next few weeks.

[sapessi]

Release 1.5 is making its way out to Maven central

[estigma88]

Hi everyone, was this fixed? I am getting the same error with the 1.5 version

[mohit224]

@estigma88 were you able to find a fix I am also getting the same error?
I reported this to @sapessi on a different thread:
#330

[sapessi]

I'll reopen #330 and work to replicate there.