APM + Webflux: @PreAuthorize returns always HTTP 403
See original GitHub issueDescribe the bug
The combination of APM with Webflux and Spring Security leads to 403 errors in RestControllers, when using @PreAuthorize.
Steps to reproduce
Steps to reproduce the behavior:
- Create a default
elasticapm.properties
config, where you do not disable the instrumentations for spring-webflux. - Create a @RestController and annotate a method with the following
@PreAuthorize("hasAuthority('SCOPE_yourScope')") @GetMapping(produces = {APPLICATION_JSON_VALUE, APPLICATION_STREAM_JSON_VALUE}
- Send a get request to the API and receive HTTP 403.
- Disbale the Instrumentations for
spring-webflux
:disable_instrumentations=spring-webflux
-> receive HTTP 200 from the API.
Bad workaround
A workaround would be to move the checks for hasAuthority
from the methods in the RestController
s to a SecurityWebFilterChain
Bean, which will be called long before the RestController
s. In the SecurityWebFilterChain you can use pathMatcher with hasAuthority.
Note: The disadvantage of this way is, that you can accidently forget to add pathMatchers for new methods. Your security and you rest APIs are somehow seperated.
Additional info
elasticApmVersion = “1.25.0” springBootVersion = “2.5.3” springSecurityVersion = “5.5.1” springCloudAwsVersion = “2.2.6.RELEASE” projectReactorVersion = “3.4.3”
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (7 by maintainers)
Top Results From Across the Web
PreAuthorize returns 403 - spring boot - Stack Overflow
@PreAuthorize returns 403 ... When a user who has the ADMIN role tries to access the /hello , 403 is returned. I have...
Read more >Securing a Rest API with Spring Security - OctoPerf
The server will simply return an HTTP 401 (Unauthorized). Here is the NoRedirectStrategy located in com.octoperf.security package: ...
Read more >Enable Actuator health endpoint without enabling auto config ...
... WhyI am Getting 403 Forbidden error for actuator /refresh endpoint on Spring ... Spring Security with custom Provider @PreAuthorize return "Access is ......
Read more >cloud spring 废弃- CSDN
Nacos 支持传输层(PING 或TCP)和应用层(如HTTP、MySQL、用户自定义)的健康检查。 ... spring: application: # 项目(微服务)名称 name: apm-mobile-android cloud: ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi @kananindzya @SylvainJuge, I will try the new version first and will come back with some feedback.
Hi @kamilwozniak4213 , thanks. I added a null check, after merging the pull request(https://github.com/elastic/apm-agent-java/pull/2159) - there will be no such error.