Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It's not possible to disable micrometer obversability #12268

Closed
goafabric opened this issue Nov 22, 2022 · 3 comments
Closed

It's not possible to disable micrometer obversability #12268

goafabric opened this issue Nov 22, 2022 · 3 comments
Assignees
@jzheaux
Labels
in: core An issue in spring-security-core type: bug A general bug
Milestone
6.0.1

Comments

@goafabric
Copy link

This is a continuation of
spring-projects/spring-boot#33275
As requested there, i will open an issue here.

It is currently not possible to disable micrometer observability.
While the docs mention this

@Bean ObservationRegistryCustomizer<ObservationRegistry> noSpringSecurityObservations() { ObservationPredicate predicate = (name, context) -> name.startsWith("spring.security.") return (registry) -> registry.observationConfig().observationPredicate(predicate) }

That has a type because a "!" is missing => "!name.startsWith("spring.security.")"
With the negation in place the application will juste crash.
See exception below.
Looking at the code, i guess the returned NOOP cannot be cast to the required FilterChainObservationContext which has more information.
Funny enough spring security has some NOOP handling implemented in that class, but that does not prevent the stacktrace below.

java.lang.ClassCastException: class io.micrometer.observation.Observation$Context cannot be cast to class org.springframework.security.web.ObservationFilterChainDecorator$FilterChainObservationContext (io.micrometer.observation.Observation$Context and org.springframework.security.web.ObservationFilterChainDecorator$FilterChainObservationContext are in unnamed module of loader 'app') at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:179) ~[spring-security-web-6.0.0-RC2.jar:6.0.0-RC2]
@goafabric goafabric added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 22, 2022
@goafabric goafabric mentioned this issue Nov 22, 2022
Closed
@jzheaux
Copy link
Contributor

jzheaux commented Nov 29, 2022

Thanks for the report, @goafabric. We'll get this prioritized for the next point release.

@jzheaux jzheaux added this to the 6.0.1 milestone Nov 29, 2022
@jzheaux jzheaux added in: core An issue in spring-security-core and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 29, 2022
@jzheaux
Copy link
Contributor

jzheaux commented Nov 29, 2022
edited
Loading

In the meantime, I believe you can use a bean post processor to customize the FilterChainProxy instance:

@Component 
class FilterChainProxyPostProcessor implements BeanPostProcessor {
    @Override
    Object postProcessBeforeInitialization(Object bean, String beanName) {
        if (bean instanceof FilterChainProxy) {
            ((FilterChainProxy) bean).setFilterChainDecorator(new FilterChainProxy.VirtualFilterChainDecorator());
        }
        return bean;
    }
}

jzheaux added a commit that referenced this issue Nov 29, 2022
@jzheaux
Fix Observability Opt-out Documentation Typo
c60c107 
Issue gh-12268
@goafabric
Copy link
Author

Using the suggested workaround i still get (with basic auth activated)

authenticate usernamepassword
authorize request

Will this be gone with the final fix ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core An issue in spring-security-core type: bug A general bug
Projects
None yet
Milestone
6.0.1
Development

No branches or pull requests
2 participants
@jzheaux @goafabric