Only Observe AuthenticationManager if it is not null

Closes gh-13084
spring-projects · May 2, 2023 · 69338ec · 69338ec
1 parent 8c5f136
commit 69338ec
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/...c/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java b/...c/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java
@@ -2998,7 +2998,7 @@ protected void beforeConfigure() throws Exception {
 		else {
 			ObservationRegistry registry = getObservationRegistry();
 			AuthenticationManager manager = getAuthenticationRegistry().build();
-			if (!registry.isNoop()) {
+			if (!registry.isNoop() && manager != null) {
 				setSharedObject(AuthenticationManager.class, new ObservationAuthenticationManager(registry, manager));
 			}
 			else {

diff --git a/...ramework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java b/...ramework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
@@ -22,6 +22,7 @@
 import java.util.concurrent.Callable;
 
 import com.google.common.net.HttpHeaders;
+import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.Test;
@@ -39,13 +40,16 @@
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
 import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.AnonymousConfigurer;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
@@ -325,6 +329,13 @@ public void getWhenCustomContentNegotiationStrategyThenUses() throws Exception {
 				.resolveMediaTypes(any(NativeWebRequest.class));
 	}
 
+	// gh-13084
+	@Test
+	public void configureWhenNoAuthenticationManagerAndObservationRegistryNotNoOpThenConfigure() throws Exception {
+		this.spring.register(ObservationConfig.class, NoAuthenticationManagerConfig.class).autowire();
+		this.mockMvc.perform(get("/"));
+	}
+
 	@RestController
 	static class NameController {
 
@@ -532,6 +543,38 @@ static ContentNegotiationStrategy cns() {
 
 	}
 
+	@Configuration
+	@EnableWebSecurity
+	static class NoAuthenticationManagerConfig {
+
+		@Bean
+		SecurityFilterChain apiSecurity(HttpSecurity http) throws Exception {
+			http.anonymous(AnonymousConfigurer::disable);
+			return http.build();
+		}
+
+		@Bean
+		AuthenticationProvider authenticationProvider1() {
+			return new TestingAuthenticationProvider();
+		}
+
+		@Bean
+		AuthenticationProvider authenticationProvider2() {
+			return new TestingAuthenticationProvider();
+		}
+
+	}
+
+	@Configuration
+	static class ObservationConfig {
+
+		@Bean
+		ObservationRegistry observationRegistry() {
+			return ObservationRegistry.create();
+		}
+
+	}
+
 	static class DefaultConfigurer extends AbstractHttpConfigurer<DefaultConfigurer, HttpSecurity> {
 
 		boolean init;