Using @EnableGlobalAuthentication or @EnableAutoConfiguration on Classes Using Method Security causes Bean Cycle #2578
Comments
|
/cc @rwinch |
|
@peterboni Thank you for the report Issue Details
Why in Boot 1.2.2?So the question is "Why is this happening in Boot 1.2.2 and not previous versions?" It happens due to two bug fixes: WorkaroundDo not annotate a class that requires AOP (i.e. contains any of the security annotations) with EnableGlobalAuthentication, EnableGlobalMethodSecurity, EnableWebSecurity, or EnableWebMvcSecurity. For example, you can use the following: @SpringBootApplication
@EnableGlobalMethodSecurity(securedEnabled = true)
public class DemoApplication {
public static void main(String[] args) {
SpringApplication.run(DemoApplication.class, args);
}
// there is no need to implement GlobalAuthenticationConfigurerAdapter
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("user").password("password").roles("USER");
}
@RestController
static class Controller {
@RequestMapping("/test")
@Secured("ROLE_USER")
public String hi() {
return "Hi";
}
}
}Long Term FixTBD |
rwinch
changed the title
|
@rwinch Thank you |
|
@rwinch FYI use of GlobalAuthenticationConfigurerAdapter was recommended |
|
@peterboni Thank you for your response. I am going to work on getting the Spring Boot related documentation cleaned up in the coming weeks. I have created #2589 to formerly track this |
|
I have followed the "workaround" and can't seem to get it to work. Using Boot 1.3.0.M5 and Security 4.0.2.RELEASE I have a configuration that looks as follows: @SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class RestApplication {
public static void main(String[] args) {
ApplicationContext ctx = SpringApplication.run(RestApplication.class, args);
}
}And an application configuration with the @EnableWebSecurity annotation: @Configuration
@EnableWebSecurity
@Profile("restonly")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated().and().httpBasic();
http.csrf();
}
@Bean
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
return new SecurityEvaluationContextExtension();
}
}I also have REST Repositories in a separate configuration: @Configuration
public class AtlasRestMvcConfiguration extends RepositoryRestMvcConfiguration {Any help would be appreciate since this is a major sticking point. |
|
Folks, please fix this issue in the next release. I got it the very first day I started to work with spring boot. It was reported many months ago. It is really important and workaround is not really working for many people. |
|
@sveryovka @forbode Thank you for the feedback. Can you please provide an example in which the workaround is not fixing the issue for you? I'm afraid without a concrete example, I will not be able to help. |
|
What would be ideal for you? I can't deliver all of my code. I have a number of modules and proprietary domain data. I could try to replicate the issue with a small subset I supposed, but first let me ask... |
|
@forbode Thanks for the response. I cannot tell from what you have posted since you do not include the classes that are using method level security. Perhaps putting a minimal sample together would work best. |
|
The error I am getting doesn't seem to have anything to do with the Repo's. I am getting
When my context attempts to load. You mentioned that the work around was to do the following:
Which I believe I illustrated in my prior post, yet I still get the error. I will attempt to replicate in a simple code base, but does this help? |
|
I can put example together in some time. But frankly speaking I do not quite understand why you want to help to fix workaround. Why can't this issue be fixed to work as expected? It is desired to have this working without any workarounds. |
|
@sveryovka If we had a simple fix for this issue it would certainly be in already. Unfortunately fixes for issues such as this can be complicated, time consuming and likely to introduce regressions if we're not very careful. A sample application would be most welcome and would help us get a head start when we do get the time to look into it. You can submit a pull-request against https://github.com/spring-projects/spring-boot-issues if you're able to get something together. I realize it can be frustrating when you hit issues like this, but please try to keep in mind that we're also trying to balance multiple pressures on our time. |
|
@sveryovka
Thanks for the response. It appears you are able to reproduce the error in a different way. However, without seeing a sample I'm afraid I will be of little help.
@forbode I agree that it is ideal to get a fix without workarounds. However, if I cannot reproduce the issue you are having, I doubt any fixes merged into the codebase are going to resolve your issue. @forbode @sveryovka In attempt to put this in to perspective. At the moment I know you are getting an error stating:
I also know you want this fixed within the code base. I would also like to fix this in the codebase. However, as @philwebb mentions this is very difficult to do given this information. It is a little bit like someone coming up to you and saying that they are getting a As you might have guessed a circular reference error is most likely quite a bit more complex than a Please be sure that I do want to help you and that I do want to get a fix into the codebase so that no workarounds are necessary. |
|
@rwinch Believe me I understand the complexity and will give you an example as soon as I can. Right now I'm under a demo time crunch so I cannot. I was giving the information that I could give you at the current time. Keep up the great work. As soon as I have a sample I will post it. |
|
@forbode Thanks for volunteering your help in reproducing the issue! |
|
@rwinch Rob, instead of adopting my own example to be able to publish it here I have tried to reproduce this issue with example which is already published above in the initial post (see #2578 (comment)), So I went to https://start.spring.io/, created new project (added Web and Security dependencies), copied code from this post and I am still able to reproduce the issue. Please use #2578 (comment) as example. I guess there is no need in other examples since this very simple one still causes same issue. |
|
@sveryovka Thanks for the details. This does reproduce the issue, but it does not follow the guidance of the workaround. I was under the impression that the issue was reproducible even when using the workaround. Of course the workaround should not be required. However, I want to ensure I understand the full scope of the issue before we try to resolve the problem. |
|
Are there are plans when this will be fixed? Forget about workaround. Please fix it using example which is already published in the issue description. |
|
Well for what it's worth using Spring Security 4.0.3 and Spring boot start 1.3.3 I got it to work with a lot of digging. Here is my security configuration. I've omitted some code, but the important annotations are present: |
|
@forbode your example is not complete so having it here does not really answer all questions. In fact going back to original issue posted 2 Mar 2015 it happened only if you have some method with "@secured" annotation. Since your example does not have it is hard to say whether it is related to exact issue or not. Another point is that using original example posted 2 Mar 2015 you can make that exact code work just by replacing @secured annotation with security restriction applied to URLs. I mean that definitely there are at least couple of ways how you can configure spring security with spring boot to work. This issue about one very specific use case. To reproduce it you need to use original code posted 2 Mar 2015 and this problem is not resolved yet. |
|
Does SecurityEvaluationContextExtension work for PagingAndSortingRepository? I found out that if I use SpEL expression accessing principal.id for a PagingAndSortingRepository, the select count(entity)... query doesn't use the principal.id for filtering. Throws the following error "Not all named parameters have been set: [1] [select count(f) from Feedback f where f.companyId = ?1]" Any workaround for this? Please help |
|
@rwinch this issue is flagged for RC1 to be released soon. Do you intend to work on this soon? |
|
@snicoll I've been looking into this issue a bit more the past few days. In some respects I think that if you have a circular Bean dependency, you have just done something wrong. Why are users coding their At the same time I do understand that it is an unpleasant experience for users who are just getting started. I think #6178 will help alleviate some of the issues we have been seeing with AOP. However, it will not completely solve this issue. In short, there appears to be nothing that we can do in Boot to fix this. Therefore I'm closing this issue in favor of spring-projects/spring-security/issues/3934 |
In this method is true. But You can write "spring.main.allow-circular-references=true" into application.properties so you can solve the problem. you are looking: Solution |
Hi,
I created a new Spring Starter Project in STS (3.6.3.SR1 for Mac), with all defaults + Dependencies (Web, Security).
pom.xml
I made some simple changes to
DemoApplication.java.DemoApplication.java
It starts.
It works.
But when I try to upgrade to Spring Boot 1.2.2.
pom.xml
I get this. The server won't start.
The text was updated successfully, but these errors were encountered: