Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AuthenticationManager bean is missing when upgraded to Spring Boot 2.0.0.M6

See original GitHub issue

Today I have upgraded one of my sample from Spring Boot 2.0.0.M4 to 2.0.0.M6.

https://github.com/hantsy/spring-microservice-sample

When starting up auth-service, it complains AuthentionManager bean is not existed in my AuthenticationController, I have to expose it manually in my security config.

@Bean
@Override
 public AuthenticationManager authenticationManagerBean() throws Exception {
      return super.authenticationManagerBean();
}

Is there something changed in Spring Boot 2.0.0.M6?

Issue Analytics

State:
Created 6 years ago
Comments:16 (4 by maintainers)

Top GitHub Comments

51reactions

l0cocommented, Apr 14, 2018

AuthenticationManager bean is required for password grant type in Spring Security OAuth2. The whole design of AuthorizationServerConfigurer + ResourceServerConfigurer assumes that you never use WebSecurityConfigurerAdapter in oauth2-based app. However now the only way to get the AuthenticationManager seems to be this:

@Configuration
public static class AuthenticationMananagerProvider extends WebSecurityConfigurerAdapter {

	@Bean
	@Override
	public AuthenticationManager authenticationManagerBean() throws Exception {
		return super.authenticationManagerBean();
	}

}

This is really confusing, because now, along with ResourceServerConfigurer, you have two beans exposing configure(HttpSecurity http). Which one should I use, then? They are not compatible.

This is the most obscure thing I’ve met so far in Spring Security OAuth2 and this is purely caused by not exposing AuthenticationManager automatically.

7reactions

jgrandjacommented, Jun 8, 2018

@l0co Yes, AuthenticationManager is required for the password grant type in Spring Security OAuth2. It’s required as a constructor arg in ResourceOwnerPasswordTokenGranter.

The whole design of AuthorizationServerConfigurer + ResourceServerConfigurer assumes that you never use WebSecurityConfigurerAdapter in oauth2-based app

This is not correct. You still need to configure your user’s either by providing an AuthenticationManager OR AuthenticationProvider OR configuring via AuthenticationManagerBuilder. This needs to happen in your WebSecurityConfigurerAdapter. Spring Security OAuth2 simply uses the AuthenticationManager that is configured by your WebSecurityConfigurerAdapter.

However now the only way to get the AuthenticationManager seems to be this:

@Configuration
public static class AuthenticationMananagerProvider extends WebSecurityConfigurerAdapter {

	@Bean
	@Override
	public AuthenticationManager authenticationManagerBean() throws Exception {
		return super.authenticationManagerBean();
	}

}

Yes, you do need to expose the AuthenticationManager as a @Bean via the authenticationManagerBean() override. However, I don’t see this being an overhead. It’s one simple override.

This is really confusing, because now, along with ResourceServerConfigurer, you have two beans exposing configure(HttpSecurity http)

I think you meant to say AuthorizationServerConfigurer instead of ResourceServerConfigurer? The AuthorizationServerConfigurer needs to be wired with the AuthenticationManager in order to validate the user during the password grant flow. An example configuration would be:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

	@Qualifier("authenticationManagerBean")
	@Autowired
	private AuthenticationManager authenticationManager;

	@Override
	public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
		endpoints.authenticationManager(this.authenticationManager);
	}
}

@l0co Does this clarify things?