Excluding ReactiveUserDetailsServiceAutoConfiguration can cause a WebFlux app to fail to start due to a null authentication manager #37504
Comments
It's more complex than this. Spring Security can either use an With this extra complexity, I think there's an increased risk of regression. Given that this hasn't been reported by users, I intend to only fix this in 3.2.x to help with #35338. We can then back port the changes if needed and if they haven't caused any problems. |
|
There's further complexity. Whether or not With a change in place to only enable WebFlux security when there's an |
|
Re-opening as one of the conditions is wrong. It should be using |
See spring-projects/spring-boot#37504 Adds @EnableWebFluxSecurity and copied MapReactiveUserDetailsService beans from boot.
|
With thanks to @jzheaux, we also need to consider the case where the user's defined a |
|
This issue occurred in one of our test classes when upgrading to Spring Boot 3.2.0 (Webflux app). As stated in the release notes you need to define a bean if you need the For people searching for a potential solution, adding the snippet below in a test config solved it for us. |
Following the changes in gh-37504, the reactive resource server auto-configuration could enable WebFlux security in situations where it was otherwise in active. This could then result in an application failing to start as no authentication manager is available. This commit updates the configurations that enable WebFlux security so that they fully back off unless their related configurations are active. Previously, only the configuration of the SecurityWebFilterChain would back off. This has been expanded to cover `@EnableWebFluxSecurity` as well. This has required splitting the configuration classes up so that the condition evaluation order can be controlled more precisely. We need to ensure that the JWT decoder bean or the opaque token introspector bean has been defined before evaluation of the conditions for `@EnableWebFluxSecurity`. Without this control, the import through `@EnableWebFluxSecurity` in one location where the conditions do not matchcan prevent a successful import in another where they do. Fixes gh-38713
|
Came here guided by this comment on /*
See https://github.com/spring-projects/spring-boot/issues/37504.
Because gateway has normal spring security and spring security oauth 2
we need an explicit @EnableWebFluxSecurity and a ReactiveUserDetailsService
*/
@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class)
@ConditionalOnClass({ DispatcherHandler.class, MapReactiveUserDetailsService.class })
@EnableWebFluxSecurity
public class TestEnableWebfluxSecurityAutoConfiguration {Have been painfully debugging for two days trying to figure out why on earth I have a Are you all absolutely sure we can't get rid of it and solve this issue a better way? I'm sorry I'm not suggesting anything specific, but I'm done with debugging for a while |
|
I suspect that code in Spring Cloud Gateway can be removed or at least refined thanks to #38713. |
2. gateway oauth2login + oauth2ResourceServer + MapReactiveUserDetailService implemented. from spring 3.2.x, need to implement MapReactiveUserDetailService by my own. ref: spring-projects/spring-boot#37504 (comment)
While looking at the reactive side of #35338 I have learned that an app that depends on
spring-boot-starter-securityandspring-boot-starter-webfluxwill fail to start ifReactiveUserDetailsServiceAutoConfigurationis excluded:The problem does not occur if
ReactiveSecurityAutoConfigurationis also excluded. PerhapsReactiveSecurityAutoConfigurationneeds to back off in the absence of anAuthenticationManagerbean but we'll need to be careful about unintended side-effects.The text was updated successfully, but these errors were encountered: