Skip to content

Resource server using AuthenticationManagerResolver and disabled anonymous authentication: "An AuthenticationManager is required" #10475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cselagea opened this issue Nov 6, 2021 · 3 comments
Closed

Resource server using AuthenticationManagerResolver and disabled anonymous authentication: "An AuthenticationManager is required" #10475

cselagea opened this issue Nov 6, 2021 · 3 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply

Comments

@cselagea
Copy link

cselagea commented Nov 6, 2021

Describe the bug
When OAuth 2.0 Resource Server support is configured, in combination with disabling anonymous authentication, then org.springframework.security.access.intercept.AbstractSecurityInterceptor throws IllegalArgumentException with the message "An AuthenticationManager is required".

Similar to #8031, but my configuration has oauth2ResourceServer().authenticationManagerResolver(...) instead of oauth2ResourceServer().jwt().

To Reproduce
Configure HttpSecurity similar to below and run the application.

http
    .authorizeRequests()
        .anyRequest().authenticated()
        .and()
    .anonymous().disable()
    .oauth2ResourceServer()
        .authenticationManagerResolver(new JwtIssuerAuthenticationManagerResolver("https://example.com"));

Expected behavior
The application should start without requiring an AuthenticationManager to be configured.

Sample
See cselagea@25931e5.
@cselagea cselagea added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 6, 2021
@sjohnr sjohnr added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 8, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Nov 10, 2021
edited
Loading

Thanks for the report, @cselagea. This appears to be happening because AbstractSecurityInterceptor is expecting an AuthenticationManager.

It may be reasonable to relax that constraint -- I'll take a look.

In the meantime, please consider upgrading to authorizeHttpRequests which uses the new AuthorizationFilter. This new filter replaces AbstractSecurityInterceptor, like so:

http
    .authorizeHttpRequests()
        .anyRequest().authenticated()
        .and()
    .anonymous().disable()
    .oauth2ResourceServer()
        .authenticationManagerResolver(new JwtIssuerAuthenticationManagerResolver("https://example.com"));

@cselagea
Copy link
Author

Thanks for the tip, @jzheaux. Using authorizeHttpRequests works like a charm. I had seen this method, but frankly didn't know the difference. I was following the Spring Security documentation, which is how I ended up using authorizeRequests in the first place.

@jzheaux
Copy link
Contributor

jzheaux commented Nov 10, 2021

@cselagea, I resolved to update the samples and the docs in lieu of relaxing the restriction in AbstractSecurityInterceptor, so I'll close the issue at this point. Apps should use authorizeHttpRequests these days.

@jzheaux jzheaux closed this as completed Nov 10, 2021
@jzheaux jzheaux added status: declined A suggestion or change that we don't feel we should currently apply and removed type: bug A general bug labels Nov 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jzheaux @sjohnr @cselagea