Remote application from devtools does not work with security filter in WebSecurityConfigurerAdapter #25147
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the report. This is due to the changes to You should be able to get things working again by making a similar change in your code to replace your |
wilkinsona
added
the
for: team-attention
|
Sorry for the inconvenience, @straurob. As Andy said, we didn't consider the case where Spring Boot configures a The only way I can think of fixing this is to look for the presence of a |
|
Thanks for the quick replies, @mbhave and @wilkinsona. As far as I have understood, I changed my class to the following. Is this what you have in mind when switching to using If so, then there is the problem that the @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration {
private final JwtRequestFilter jwtRequestFilter;
public SecurityConfiguration(JwtRequestFilter jwtRequestFilter) {
this.jwtRequestFilter = jwtRequestFilter;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.cors().and()
.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.and()
.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class)
.mvcMatcher("/services/**").authorizeRequests()
.mvcMatchers(PUBLIC_RESOURCES).permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
return httpSecurity.build();
}
} |
|
@straurob I believe you can define an |
philwebb
added
type: regression
|
Tried that but this gives the following exception when starting the application. Inspecting this shows that Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.authentication.AuthenticationManager' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
at org.springframework.beans.factory.support.DefaultListableBeanFactory.raiseNoMatchingBeanFound(DefaultListableBeanFactory.java:1790) ~[spring-beans-5.3.3.jar:5.3.3]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1385) ~[spring-beans-5.3.3.jar:5.3.3]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1300) ~[spring-beans-5.3.3.jar:5.3.3]
at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887) ~[spring-beans-5.3.3.jar:5.3.3]
at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791) ~[spring-beans-5.3.3.jar:5.3.3]
... 39 common frames omitted |
|
Thanks for giving it a try. The I would guess that it's some sort of ordering problem and you may be running into the situation that org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.AuthenticationManagerDelegator addresses. Unfortunately that lazy delegator is package-private so you can't reuse it. @rwinch Can you please guide us here? What's the recommended way to define an |
|
Exposing an As @wilkinsona mentioned ordering can cause problems at times. I'd recommend either extracting the @straurob If you are still struggling after my suggestions, please ping me with an updated sample and I can take a look |
|
Thanks, Rob. Without using |
Thanks, @rwinch. Guess I need to come back to your offer. I'll try to setup a concrete example. Maybe you could provide some kind of "generic example" in the meantime? Maybe I just need a basic idea as a starting point. |
|
@straurob In case you missed this, we will be fixing this regression in the next Spring Boot 2.4.x patch release. While moving to |
|
@mbhave That's great to hear. Looking forward to the patch release. |
|
As @rwinch wrote in a recent comment:
After having update to 2.4.3, I tried to do it this way. But this doesn't take your hint into account. @Bean
public AuthenticationManager authenticationManagerBean(AuthenticationManagerBuilder builder) {
return builder.getOrBuild();
}Then the application won't start and gives the following exception:
I guess I'm having some trouble to setup the bean correctly. |
Just provide a bean without using the builder. |
Spring Boot version: 2.4.1
Motivation
I'd like to run my Spring Boot application as a remote application for local development and deploying to a Docker container.
Symptom
When starting the application, the following stack trace is raised. I guess the relevant message is:
Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.When removing
spring.devtools.remote.secretfrom the configuration, then the application starts but this disables the remote application feature.Setup
My application uses the following
WebSecurityConfigurerAdapterwhich adds aJwtRequestFilter extends OncePerRequestFilter:pom.xml:
The text was updated successfully, but these errors were encountered: