-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fails to work with Spring Security after upgrading to Spring Boot 2.5 #707
Comments
After another few hours of digging into this problem, I think it may be caused by issue of dependencies between beans. For some reason I haven't figured out yet, Instantiation priority of The best way to fix it I've found is to replace return type of |
Any status update on this? This seems like a complete showstopper |
We also depend on this bugfix. We have found a workaround for spring-problem-web v0.26.2 to just create an ExceptionHandling with ControllerAdvice ourselfs. Would be great if this bugfix could be released soon. |
I suspect this is actually another manifestation of the same issue as #696 |
Vanilla spring boot project with |
Could the recent deprecation of WebSecurityConfigurerAdapter in Spring Security (https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter) also affect this somehow? |
Vanilla spring boot project with Environment :
Authentication failure will cause empty response with status 200. Same problem with <dependency>
<groupId>org.zalando</groupId>
<artifactId>problem-spring-web-starter</artifactId>
<version>0.28.0-RC.0</version>
</dependency> My workaround or fix is to add a package com.example.demo;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.zalando.problem.spring.web.advice.ProblemHandling;
import org.zalando.problem.spring.web.advice.security.SecurityAdviceTrait;
@ControllerAdvice
public class ProblemSecurityAdvice implements ProblemHandling, SecurityAdviceTrait {
} We find the expected behavior. Authentication failure will cause JSON response with status 401. {
"title": "Unauthorized",
"status": 401,
"detail": "Full authentication is required to access this resource"
} I think that the comment of @ieu is good here, in any case we are closed to the problem, the instantiation of this bean is problematic even if it represents exactly the same thing as the class described above. On the other hand, there is most certainly a problem with the order of the beans to be instantiated. |
Why this PR #728 is not merged if it fixes the problem ? |
I think the root of the problem is introduced in this PR #413. Before this change (in version 0.25.2 and below) there was This way spring has registered it as a bean and also registered it as a The mechanism was changed in mentioned PR (0.26.0+). Now, it's But here is the problem. The bean type is If we change the return type of bean-factory method to Basically, the code should be changed to this: @Bean
@ConditionalOnMissingBean(AdviceTrait.class)
public SecurityExceptionHandling securityExceptionHandling() {
return new SecurityExceptionHandling();
} The PR #413 contains some tests, but they are not fully cover the case, e.g.: @Test
void shouldConfigureExceptionHandling(
@Autowired final AdviceTrait trait) {
assertThat(trait).isExactlyInstanceOf(SecurityExceptionHandling.class);
} This test checks that bean is present in the context and that it's the correct implementation, but it doesn't check that Also I found another test that should catch this problem, but it doesn't. It doesn't catch the problem because test class and advice both live in the same package, that falls under component auto-scan. I confirmed that by removing the code that registers As soon as I moved test classes into a sibling package the test started to fail, showing that It's interesting, that there is no problem with |
problem-spring-web
fails to work with Spring Security after upgrading to Spring Boot 2.5Description
After introducing
spring-security
as dependency:problem-spring-web
will no longer work.Expected Behavior
Work as expected.
For example, normally with
problem-spring-web
, a validation failure message looks like below:Actual Behavior
Authentication failure will cause empty response with status 200.
Application will simply respond as Spring Boot's default beheavior will do on other expections thrown:
Possible Fix
I personally have no idea about this
Steps to Reproduce
problem-spring-web
as dependency:All tests fails except for
testEcho
.I also tried simulating requests to
/echo
usingcurl
, and got the same result.Context
I find that if I register my own AdivceTrait bean in
SecurityConfiguration
,problem-spring-web
will work again:Your Environment
problem-spring-web
version: 0.27.0AND here is the runnable demo project attached: demo.zip
The text was updated successfully, but these errors were encountered: