Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Questions/Issues using v2.11.0 with Spring Boot and Identity Service
See original GitHub issueI am currently testing v2.11.0 of the security libs for multi-tenant validation of Identity Service tokens on CF and K8s.
Good news first, the functionality in general is working as expected! However, I did notice some things.
I was able to use the lib with a WebFilter setup like this:
@WebFilter("/api/*")
public class AuthenticationFilter extends GenericFilterBean {
private final IasTokenAuthenticator tokenAuthenticator;
public AuthenticationFilter() {
tokenAuthenticator = new IasTokenAuthenticator();
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
try {
TokenAuthenticationResult authenticationResult = tokenAuthenticator.validateRequest(request, response);
if (authenticationResult.isAuthenticated()) {
chain.doFilter(request, response);
} else {
// ...
}
} finally {
SecurityContext.clearToken();
}
}
}
This is all well and good, but I have another application in which I need the IasTokenAuthenticator to be autowired by Spring:
private final IasTokenAuthenticator tokenAuthenticator;
@Autowired
public AuthenticationFilter(IasTokenAuthenticator tokenAuthenticator) {
this.tokenAuthenticator = tokenAuthenticator;
}
This doesn’t work out of the box since the IasTokenAuthenticator is not a bean and hence cannot be autowired.
This can be worked around like this:
@Component
public class CustomIasTokenAuthenticator extends IasTokenAuthenticator {
@Override
protected OAuth2ServiceConfiguration getServiceConfiguration() {
return super.getServiceConfiguration();
}
}
But it would be nicer if this wouldn’t be required.
Second, this setup is inconvenient for running the app locally. Locally, the app defaults to using the CFEnvironment that tries to access environment properties using System::getenv.
Spring Boot allows maintaining app configuration in application.yml files. This is easier to maintain in a project than environment variables, since the file can be added to git.
Problem is that System::getenv and therefore the CFEnvironment used locally cannot read the properties defined in the application.yml file.
Finally, I was looking through the samples in this repository to see whether there’s also a way to configure everything declaratively using a @Configuration class, instead of wiring it up manually. The only that looked like it is supposed to work with the Identity Service instead of the XSUAA is the spring-security-hybrid-usage sample. However, this did not work for me and the sample itself does not compile when I clone the repo and try to build it.
Building it the way it is, it fails with:
Description:
Field authConverter in sample.spring.security.SecurityConfiguration required a bean of type 'org.springframework.core.convert.converter.Converter' that could not be found.
The injection point has the following annotations:
- @org.springframework.beans.factory.annotation.Autowired(required=true)
Action:
Consider defining a bean of type 'org.springframework.core.convert.converter.Converter' in your configuration.
I also tried it without the Converter, since I’m currently not interested in the token exchange, but that also failed:
Description:
Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' that could not be found.
Action:
Consider defining a bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' in your configuration.
In summary, here are my questions:
- What is the recommended way to setup the library for usage with the Identity Service in a Spring Boot application?
- Is there a setup where I can autowire the necessary classes out-of-the-box without adding wrapper classes?
- Is there a setup where I the lib can read from
application.ymlwhen running locally?
Thanks!
Issue Analytics
- State:
- Created 2 years ago
- Comments:12 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I found another issue today: When you send a request to the server with an invalid JWT (e.g.
bla), it responds with a 500 instead of a 401. See also stacktrace below:I found out what the issue was with the
AuthenticationEntryPointnot working (and this also gets rid of the 500 when the lib is trying to parse an invalid token).With the current setup, the filter that is being autowired and that calls into your library is the
org.springframework.security.oauth2.server.resource.webBearerTokenAuthenticationFilter. When an exception is being thrown during token validation, it does not delegate to the configuredAuthenticationEntryPoint. Instead, it delegates to aAuthenticationFailureHandler. This must be configured separately. The setup isn’t straight-forward, but the following config worked for me:So summing up, all my problems are solved now. Thanks again for all your help, very much appreciated!
I’d still strongly vote for improving the error message that is logged when the service configuration for the XSUAA/Identity service is missing. I believe that’s something other people will run into as well.