Spring Security 6.1.4 breaks authentication security context #13866
Assignees
Labels
Comments
m-ignatov
added
status: waiting-for-triage
|
Hi, @m-ignatov. Thanks for the report. Can you put together a minimal sample that reproduces the problem? |
marcusdacoregio
removed
the
status: waiting-for-triage
|
Hi, @marcusdacoregio You can find a minimal sample here: Running the included Spring Boot tests can reproduce the issue. Regards, |
|
Hello, @m-ignatov. Thank you for the sample, it was really useful. I think that the problem is only happening in 6.1.4 because of this fix #13814. In summary, we delay the initialization of the But the problem is how and where you configured the With that said, we need to make sure that we expose a @Bean
static SecurityContextHolderStrategy securityContextHolderStrategy() {
SecurityContextHolder.setStrategyName(MODE_INHERITABLETHREADLOCAL);
return SecurityContextHolder.getContextHolderStrategy();
}
@Bean
static MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
return new DefaultMethodSecurityExpressionHandler();
}I'll close this as solved since the problem is in the configuration and not a bug. |
BobanL
added a commit
to CDCgov/prime-simplereport
that referenced
this issue
Oct 12, 2023
…r than initializing bean due to how the security context loads spring-projects/spring-security#13866 (comment)
github-merge-queue bot
pushed a commit
to CDCgov/prime-simplereport
that referenced
this issue
Nov 6, 2023
* upgrade spring security to 5.8.3 * replace global method security with method security https://docs.spring.io/spring-security/reference/5.8/migration/servlet/authorization.html#servlet-replace-globalmethodsecurity-with-methodsecurity * replace authorizeRequests with authorizeHttpRequests https://docs.spring.io/spring-security/reference/5.8/migration/servlet/authorization.html#_switch_to_authorizationmanager * replace ant matcher with requestMatcher https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-requestmatchers * replace WebSecurityConfigurerAdapter with SecurityFilterChain bean https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter * replace filter chaining with lambda dsl * replace filter chaining with lambda dsl for security configuration * replace filter chaining with lambda dsl for security configuration * Revert "replace filter chaining with lambda dsl for security configuration" This reverts commit 01ae1d3. * switch to lambda dsl for OktaLocalSecurityConfiguration * add dev security config to tests * add security debugging * add security debugging * upgrade to springboot3.1.1, okta-spring-starter3.0.4, and remove spring security version * replace javax with jakarta * use thymeleaf spring6 * remove pinned versions that are coming from spring dependency management * Migrate hibernate types to 62 and move to hypersistence package * Use hypersistence instead of vladmihalcea * Replace typedef pg_enum with PostgreSQLEnumType.class * Replace typedef list-array with ListArrayType.class * Replace typedef jsonb with JsonBinaryType.class * Remove @ConstructorBinding from @ConfigurationProperties classes https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#constructingbinding-no-longer-needed-at-the-type-level * move to spring 3.0.8 and change hypersistence to 60 * Remove unused constructor bindings * upgrade springCloudVersion to springboot 3 supported version * upgrade to spring 3.1.1 to update hibernate version * add validCheckSum on change sets that are invalid * add column definition for enum columns vladmihalcea/hypersistence-utils#625 (comment) * move spring.profiles.include from each property file to spring.profiles.group in application.yaml * go back to spring 3.0.8 * fix name order to use java object names rather than sql column names * remove unused queries * add @ConstructorBinding to objects that have multiple constructors * upgrade graphql dependencies to 19.1 remove hibernate validator requirement because spring boot 3 supports the new version * Move feature flags to a new file to fix issue with @ConfigurationProperties and ConstructorBinding * add constructor binding back * add necessary constructor binding back * remove spring hibernate query utils since it doesn't support hibernate 6 and use jackson-datatype-hibernate6 instead of 5 * Convert DataSource into ProxyDataSource and use the selectCount to test n+1 https://dev.to/kirekov/integration-tests-for-n-1-problem-in-java-3b2i * remove hibernate.query.interceptor.error-level since spring-hibernate-query-utils was removed * add set properties as final for FeatureFlagsConfig * rename access is denied with access denied * update the expected error message on audit failure to remove nested exception * use wiremock-jre8-standalone instead of jre8 because of compatibility issues with anything less than jetty11 wiremock/wiremock#1760 (comment) * replace javax with jakarta, use the hibernate type from hypersistence, define column definition * update lockfile * update FeatureFlagProperties to handle rsv * remove deleted result column from merge * fix organizationName * pin apache client5 to 5.2.1 until spring 3.1 * fix feature flag properties mock * use google immutablemap * add mock for create rsa jwt * fix access denied error message * check if device & specimen type are null before init an error was happening with TestOrderServiceTest.roundTrip where mapping was not being saved * upgrade to spring 3.1.3 and pin hibernate version * replace an error message to be "Access Denied" instead of "Access is denied" I missed this one during 8ee814b commit * fix the assertion for the /api/token endpoint * Revert "fix the assertion for the /api/token endpoint" This reverts commit 3864bc8. * fix the assertion for the /api/token endpoint * Remove the check to see if devices have already been created since it thorws an error otherwise in most tests * replace getGenericSpecimen() with genericSpecimenType in TestOrderServiceTest.roundTrip > createValidFacility > the second time of initializing device & specimen type ends up not actually saving the device_specimen_type * update checksums based on merge to main and deploy * add @repository to OrganizationRepository to potentially fix this error: Error creating bean with name 'organizationRepository' defined in gov.cdc.usds.simplereport.db.repository.OrganizationRepository defined in @EnableJpaRepositories declared on JpaRepositoriesRegistrar.EnableJpaRepositoriesConfiguration: Cannot resolve reference to bean 'jpaSharedEM_entityManagerFactory' while setting bean property 'entityManager' * Revert "add @repository to OrganizationRepository" This reverts commit ab58356. * upgrade to hibernate 6.3.1.FINAL temporary change until spring 3.2+ * Replace @type(PostgreSQLEnumType.class) with @JdbcTypeCode(SqlTypes.NAMED_ENUM) https://docs.jboss.org/hibernate/stable/core/javadocs/org/hibernate/type/SqlTypes.html#NAMED_ENUM * fix the time comparison and use current_timestamp() instead of NOW() https://discourse.hibernate.org/t/upgrade-to-6-3-rc1-cannot-compare-left-expression-of-type-java-sql-timestamp-with-right-expression-of-type-com-model-entity-impl-user/8034 * replace advisory lock procedure with native query this was due to an issue introduced when updating hibernate to 6.3+ where an additional (null) parameter was being added automatically * remove unused import * fix comparison in test event search filter to use the internal id of test event when comparing to the root * change posgres to be implementation dependency this was only done for a test to pass, this can be removed and test can be refactored if we want. * change the exception for cause to be PSQLException * change the exception for cause to be PSQLException * change initialization of security context strategy to be a bean rather than initializing bean due to how the security context loads spring-projects/spring-security#13866 (comment) * add agnostic bulk upload enabled to feature flag properties * comment out security context holder strategy bean to see if it is causing an issue during deployment * Revert "comment out security context holder strategy bean to see if it is causing an issue during deployment" This reverts commit dcd1f93. * temporarily move health check to another file * upgrade to spring 3.1.4, dependency-management to 1.1.3, and spring-cloud-dependencies to 2022.0.4 * add logbook to log request and response * add logging level trace for logbook * remove access to / on security config and add /health to path in terraform app gateway check The gateway can use the /health endpoint to verify the app is available outside the cdc network Co-authored-by: Johanna <[email protected]> * move path variable to both backend settings rather than static settings * add probe to backend main and staging slots * Revert "add probe to backend main and staging slots" This reverts commit 3dd75eb. * Revert "remove access to / on security config and add /health to path in terraform app gateway check" This reverts commit ffbb226. * remove /health endpoint * remove path /health * update to spring 3.1.5 * remove /health endpoint from security filter * Replace hypersistence JsonBinaryType with Hibernate's SqlTypes.JSON * fix preauthorize to get feature flag from the correct spot * Revert "Replace hypersistence JsonBinaryType with Hibernate's SqlTypes.JSON" This reverts commit 1d371e3. * use hypersistence-utils 62 instead of 60 Altough 62 is not technically compatible, we are just using JSONb and ListArray types from this library * update okta spring * remove the pin to httpclient5 since okta 13 upgrade. * change format for twilio dependency * remove logbook * remove exclusion of junit.vintage * return number in total rather than the QueryCount object. * pin okio-jvm to resolve snyk issue https://app.snyk.io/org/prime-simplereport/project/a72eef61-0dcc-4525-b95d-7cbc07215c81/pr-check/de909529-7986-40e9-8ba8-ecc810a0290d * Update feature flag classes to create db loader that's only responsibility is to reload feature flags from the DB. All classes should only get feature flag status from the FeatureFlagsConfig class. * remove rsv enabled * replace deprecated liquibase labels with label filters even though we don't use them anywhere * replace deprecated cors() with CorsConfigurationSource bean https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html#page-title * add .cors(withDefaults()) to all SecurityFilterChain https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html * replace javax with jakarta in result service * revert cors changes * fix deprecated calls * revert changes to feature flag config the warning is intellij only and does not effect the code * replace deprecated jwt with .jwt(withDefaults) * add null to the constructor * remove extra logs from azure dev * remove hibernate dialect * move client id missing into application-dev * create a new properties file to contain empty client id * replace pipeline enum for hibernate 6 * replace javax with jakarta * add empty line back to application-dev.yaml file --------- Co-authored-by: Johanna <[email protected]>
github-merge-queue bot
pushed a commit
to CDCgov/prime-simplereport
that referenced
this issue
Nov 6, 2023
* upgrade spring security to 5.8.3 * replace global method security with method security https://docs.spring.io/spring-security/reference/5.8/migration/servlet/authorization.html#servlet-replace-globalmethodsecurity-with-methodsecurity * replace authorizeRequests with authorizeHttpRequests https://docs.spring.io/spring-security/reference/5.8/migration/servlet/authorization.html#_switch_to_authorizationmanager * replace ant matcher with requestMatcher https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#use-new-requestmatchers * replace WebSecurityConfigurerAdapter with SecurityFilterChain bean https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_stop_using_websecurityconfigureradapter * replace filter chaining with lambda dsl * replace filter chaining with lambda dsl for security configuration * replace filter chaining with lambda dsl for security configuration * Revert "replace filter chaining with lambda dsl for security configuration" This reverts commit 01ae1d3. * switch to lambda dsl for OktaLocalSecurityConfiguration * add dev security config to tests * add security debugging * add security debugging * upgrade to springboot3.1.1, okta-spring-starter3.0.4, and remove spring security version * replace javax with jakarta * use thymeleaf spring6 * remove pinned versions that are coming from spring dependency management * Migrate hibernate types to 62 and move to hypersistence package * Use hypersistence instead of vladmihalcea * Replace typedef pg_enum with PostgreSQLEnumType.class * Replace typedef list-array with ListArrayType.class * Replace typedef jsonb with JsonBinaryType.class * Remove @ConstructorBinding from @ConfigurationProperties classes https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#constructingbinding-no-longer-needed-at-the-type-level * move to spring 3.0.8 and change hypersistence to 60 * Remove unused constructor bindings * upgrade springCloudVersion to springboot 3 supported version * upgrade to spring 3.1.1 to update hibernate version * add validCheckSum on change sets that are invalid * add column definition for enum columns vladmihalcea/hypersistence-utils#625 (comment) * move spring.profiles.include from each property file to spring.profiles.group in application.yaml * go back to spring 3.0.8 * fix name order to use java object names rather than sql column names * remove unused queries * add @ConstructorBinding to objects that have multiple constructors * upgrade graphql dependencies to 19.1 remove hibernate validator requirement because spring boot 3 supports the new version * Move feature flags to a new file to fix issue with @ConfigurationProperties and ConstructorBinding * add constructor binding back * add necessary constructor binding back * remove spring hibernate query utils since it doesn't support hibernate 6 and use jackson-datatype-hibernate6 instead of 5 * Convert DataSource into ProxyDataSource and use the selectCount to test n+1 https://dev.to/kirekov/integration-tests-for-n-1-problem-in-java-3b2i * remove hibernate.query.interceptor.error-level since spring-hibernate-query-utils was removed * add set properties as final for FeatureFlagsConfig * rename access is denied with access denied * update the expected error message on audit failure to remove nested exception * use wiremock-jre8-standalone instead of jre8 because of compatibility issues with anything less than jetty11 wiremock/wiremock#1760 (comment) * replace javax with jakarta, use the hibernate type from hypersistence, define column definition * update lockfile * update FeatureFlagProperties to handle rsv * remove deleted result column from merge * fix organizationName * pin apache client5 to 5.2.1 until spring 3.1 * fix feature flag properties mock * use google immutablemap * add mock for create rsa jwt * fix access denied error message * check if device & specimen type are null before init an error was happening with TestOrderServiceTest.roundTrip where mapping was not being saved * upgrade to spring 3.1.3 and pin hibernate version * replace an error message to be "Access Denied" instead of "Access is denied" I missed this one during 8ee814b commit * fix the assertion for the /api/token endpoint * Revert "fix the assertion for the /api/token endpoint" This reverts commit 3864bc8. * fix the assertion for the /api/token endpoint * Remove the check to see if devices have already been created since it thorws an error otherwise in most tests * replace getGenericSpecimen() with genericSpecimenType in TestOrderServiceTest.roundTrip > createValidFacility > the second time of initializing device & specimen type ends up not actually saving the device_specimen_type * update checksums based on merge to main and deploy * add @repository to OrganizationRepository to potentially fix this error: Error creating bean with name 'organizationRepository' defined in gov.cdc.usds.simplereport.db.repository.OrganizationRepository defined in @EnableJpaRepositories declared on JpaRepositoriesRegistrar.EnableJpaRepositoriesConfiguration: Cannot resolve reference to bean 'jpaSharedEM_entityManagerFactory' while setting bean property 'entityManager' * Revert "add @repository to OrganizationRepository" This reverts commit ab58356. * upgrade to hibernate 6.3.1.FINAL temporary change until spring 3.2+ * Replace @type(PostgreSQLEnumType.class) with @JdbcTypeCode(SqlTypes.NAMED_ENUM) https://docs.jboss.org/hibernate/stable/core/javadocs/org/hibernate/type/SqlTypes.html#NAMED_ENUM * fix the time comparison and use current_timestamp() instead of NOW() https://discourse.hibernate.org/t/upgrade-to-6-3-rc1-cannot-compare-left-expression-of-type-java-sql-timestamp-with-right-expression-of-type-com-model-entity-impl-user/8034 * replace advisory lock procedure with native query this was due to an issue introduced when updating hibernate to 6.3+ where an additional (null) parameter was being added automatically * remove unused import * fix comparison in test event search filter to use the internal id of test event when comparing to the root * change posgres to be implementation dependency this was only done for a test to pass, this can be removed and test can be refactored if we want. * change the exception for cause to be PSQLException * change the exception for cause to be PSQLException * change initialization of security context strategy to be a bean rather than initializing bean due to how the security context loads spring-projects/spring-security#13866 (comment) * add agnostic bulk upload enabled to feature flag properties * comment out security context holder strategy bean to see if it is causing an issue during deployment * Revert "comment out security context holder strategy bean to see if it is causing an issue during deployment" This reverts commit dcd1f93. * temporarily move health check to another file * upgrade to spring 3.1.4, dependency-management to 1.1.3, and spring-cloud-dependencies to 2022.0.4 * add logbook to log request and response * add logging level trace for logbook * remove access to / on security config and add /health to path in terraform app gateway check The gateway can use the /health endpoint to verify the app is available outside the cdc network Co-authored-by: Johanna <[email protected]> * move path variable to both backend settings rather than static settings * add probe to backend main and staging slots * Revert "add probe to backend main and staging slots" This reverts commit 3dd75eb. * Revert "remove access to / on security config and add /health to path in terraform app gateway check" This reverts commit ffbb226. * remove /health endpoint * remove path /health * update to spring 3.1.5 * remove /health endpoint from security filter * Replace hypersistence JsonBinaryType with Hibernate's SqlTypes.JSON * fix preauthorize to get feature flag from the correct spot * Revert "Replace hypersistence JsonBinaryType with Hibernate's SqlTypes.JSON" This reverts commit 1d371e3. * use hypersistence-utils 62 instead of 60 Altough 62 is not technically compatible, we are just using JSONb and ListArray types from this library * update okta spring * remove the pin to httpclient5 since okta 13 upgrade. * change format for twilio dependency * remove logbook * remove exclusion of junit.vintage * return number in total rather than the QueryCount object. * pin okio-jvm to resolve snyk issue https://app.snyk.io/org/prime-simplereport/project/a72eef61-0dcc-4525-b95d-7cbc07215c81/pr-check/de909529-7986-40e9-8ba8-ecc810a0290d * Update feature flag classes to create db loader that's only responsibility is to reload feature flags from the DB. All classes should only get feature flag status from the FeatureFlagsConfig class. * remove rsv enabled * replace deprecated liquibase labels with label filters even though we don't use them anywhere * replace deprecated cors() with CorsConfigurationSource bean https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html#page-title * add .cors(withDefaults()) to all SecurityFilterChain https://docs.spring.io/spring-security/reference/servlet/integrations/cors.html * replace javax with jakarta in result service * revert cors changes * fix deprecated calls * revert changes to feature flag config the warning is intellij only and does not effect the code * replace deprecated jwt with .jwt(withDefaults) * add null to the constructor * remove extra logs from azure dev * remove hibernate dialect * move client id missing into application-dev * create a new properties file to contain empty client id * replace pipeline enum for hibernate 6 * replace javax with jakarta * add empty line back to application-dev.yaml file --------- Co-authored-by: Johanna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
After updating to Spring Security 6.1.4 (as part of Spring Boot 3.1.4), the authentication context is not being populated and
SecurityContextHolder.getContext().getAuthentication()returnsnull.The issue seems to come from updating this concrete dependency:
Version 6.1.3 works fine.
After further investigation, it turns out this particular code in our application causes the authentication object to be null, but not sure why:
Expected behavior
Authentication context should be populated from the HTTP request Authentication header (JWT Bearer token).
The setup is a standard Spring Boot application with Spring MVC and Spring Security (Web Security Config).
Let me know if you need more information.
Regards,
Momchil
The text was updated successfully, but these errors were encountered: