Skip to content

An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
shermende opened this issue Feb 28, 2020 · 5 comments
Closed

An AuthenticationManager is required. Oauth2ResourceServer + anonymous disable #8031

shermende opened this issue Feb 28, 2020 · 5 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.3.0

Comments

@shermende
Copy link

issue source

Hello, i caught strange behavior, when did disable anonymous() in WebSecurityConfigurerAdapter with oauth2ResourceServer().jwt() option.
This setting throws an exception on startup: An AuthenticationManager is required.
Used version: 2.2.4.RELEASE.
The same settings work on 2.1.x.RELEASE

Yes, i understand, if specify a bean, the error will disappear, but this behavior seems strange.

Sample here

    public class AnonymousDisableApplication extends WebSecurityConfigurerAdapter {
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .anyRequest()
                    .authenticated()
                    .and()
                    .anonymous()
                    .disable()
                    .oauth2ResourceServer()
                    .jwt()
            ;
        }
    
    }
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 28, 2020
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 28, 2020
@jzheaux jzheaux added this to the 5.3.0 milestone Feb 28, 2020
jzheaux added a commit that referenced this issue Feb 29, 2020
@jzheaux
Register Authentication Provider in Init Phase
9092115 
Fixes gh-8031
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Feb 29, 2020
Closed
jzheaux added a commit that referenced this issue Feb 29, 2020
@jzheaux
Register Authentication Provider in Init Phase
b7ce65b 
Fixes gh-8031
Closed
@jzheaux jzheaux added type: bug A general bug and removed type: enhancement A general enhancement labels Mar 2, 2020
@cccs-cat001
Copy link

What was the fix for this issue? I'm currently hitting it with this config:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  private AADAppRoleStatelessAuthenticationFilter aadAuthFilter;

  @Bean
  public AuthenticationEntryPoint entrypoint() {
    System.out.println("ENTRYPOINT");
    return new AuthenticationEntryPoint();
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    System.out.println("CONFIG");
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
    http.anonymous().disable();
    http.authorizeRequests().antMatchers("OPTIONS", "/**").permitAll()
        .antMatchers("/login", "/login/**").permitAll().anyRequest().authenticated().and()
        .exceptionHandling().authenticationEntryPoint(entrypoint());
    http.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class);

  }
}

@jzheaux
Copy link
Contributor

jzheaux commented Dec 3, 2020

Thanks, @cccs-cat001 for reaching out, but I don't think it's the same situation. The reported issue was for when oauth2ResourceServer() and anonymous().disabled() were combined.

I believe your issue is that you haven't specified any authentication mechanisms. If you have control over how AADAppRoleStatelessAuthenticationFilter is coded, consider creating an authentication provider instead and wiring that into the DSL.

If that doesn't address your question, please consider posting to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or file a ticket if you feel this is a genuine bug.

@cselagea
Copy link

cselagea commented Nov 5, 2021
edited
Loading

I'm hitting this issue when using an AuthenticationManagerResolver. Here's my configuration:

@Configuration
@ConditionalOnClass(ServletRegistration.class)
@ConditionalOnProperty(
        value = "spring.main.web-application-type",
        havingValue = "servlet",
        matchIfMissing = true)
@Import(JwtAuthenticationConfiguration.class)
@EnableWebSecurity
public class WebSecurityAutoConfiguration {

    @Bean
    public SecurityFilterChain bearerTokenSecurityFilterChain(
            HttpSecurity http,
            AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) throws Exception {
        return http
                .authorizeRequests(authorize -> authorize.anyRequest().authenticated())
                .oauth2ResourceServer(oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver))
                .anonymous().disable()
                .build();
    }

}

where the authenticationManagerResolver bean is an instance of JwtIssuerAuthenticationManagerResolver that's configured in JwtAuthenticationConfiguration.

The following test fails due to "java.lang.IllegalArgumentException: An AuthenticationManager is required".

@Test
void verifySecurityFilterChainIsCreated() {
    new WebApplicationContextRunner()
            .withConfiguration(AutoConfigurations.of(WebSecurityAutoConfiguration.class, SecurityAutoConfiguration.class))
            .run(context -> assertThat(context).hasBean("bearerTokenSecurityFilterChain"));
}

@jzheaux should I open a new issue to report this?

@jzheaux
Copy link
Contributor

jzheaux commented Nov 5, 2021

Please do, @cselagea. Also, if you provide a reproducing sample, then that can help accelerate any needed fix.

@cselagea
Copy link

cselagea commented Nov 5, 2021

Also, if you provide a reproducing sample, then that can help accelerate any needed fix.

I'll probably fork this repository and try to add a test to OAuth2ResourceServerConfigurerTests that reproduces the problem, if that makes sense @jzheaux.

@cselagea cselagea mentioned this issue Nov 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.3.0
Development

No branches or pull requests
5 participants
@jzheaux @spring-projects-issues @cselagea @shermende @cccs-cat001