Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

java.lang.ClassCastException when using default management security with WebFlux and health probes enabled #44052

Closed
edudar-chwy opened this issue Feb 3, 2025 · 6 comments
Closed

java.lang.ClassCastException when using default management security with WebFlux and health probes enabled #44052

edudar-chwy opened this issue Feb 3, 2025 · 6 comments
Assignees
@wilkinsona
Labels
type: regression A regression from a previous release
Milestone
3.4.3

Comments

@edudar-chwy
Copy link

edudar-chwy commented Feb 3, 2025
edited
Loading

Environment:

  • Spring Boot: 3.4.2
  • Spring: 6.2.2
  • Kubernetes

After upgrading to Spring Boot 3.4 from 3.3 I see an unexpected ClassCastException while calling /health endpoints on Kubernetes, specifically because this works locally as availability probes are not enabled unless in Kubernetes or CloudFoundry or explicitly in properties:

class org.springframework.boot.actuate.autoconfigure.availability.AvailabilityProbesHealthEndpointGroups cannot be cast to class org.springframework.boot.actuate.endpoint.web.AdditionalPathsMapper

While tracing it down, I narrowed the change to #40962 and this commit when additionalPathsMappers were added to WebEndpointDiscoverer.

HealthEndpointConfiguration creates a bean of type HealthEndpointGroups named healthEndpointGroups with the instance of AutoConfiguredHealthEndpointGroups that implements HealthEndpointGroups, AdditionalPathsMapper.

At the same time, AvailabilityProbesAutoConfiguration creates a post-processor of type AvailabilityProbesHealthEndpointGroupsPostProcessor that, in turn, also creates a bean of HealthEndpointGroups but using an instance of AvailabilityProbesHealthEndpointGroups that implements only HealthEndpointGroups but not AdditionalPathsMapper.

When WebEndpointAutoConfiguration creates webEndpointDiscoverer it autowires ObjectProvider<AdditionalPathsMapper> additionalPathsMappers and uses additionalPathsMappers.orderedStream().toList() but this calls hides the problem due to generics. Calling additionalPathsMappers.getIfAvailable() fails with BeansNotOfRequiredTypeException which is correct.

Digging deeper into additionalPathsMappers.orderedStream(), I see DefaultListableBeanFactory.findAutowireCandidates() tries to find candidateNames by AdditionalPathsMapper.class and gets "healthEndpointGroups", but when beanfactory gets a bean by that name, it is AvailabilityProbesHealthEndpointGroups which does not implement AdditionalPathsMapper. Because of generics, this issue is not showing up all the way until DiscoveredWebEndpoint.getAdditionalPaths() is called because if explicitly requires AdditionalPathsMapper but gets AvailabilityProbesHealthEndpointGroups which is not.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 3, 2025
@tim-08df33fc
Copy link

Hi @edudar-chwy. 👋 Thank you for creating this detailed issue. I'm running into this problem as well and had to downgrade to 3.3. Do you perhaps have a workaround for this regression?

@wilkinsona
Copy link
Member

Thanks for the detailed analysis, @edudar-chwy. Can you please take a step back and share some more information about your application's configuration and also the stack trace of the ClassCastException? The ideal way to do so is by providing a complete yet minimal sample that reproduces the failure.

I've managed to trigger the following failure:

java.lang.ClassCastException: class org.springframework.boot.actuate.autoconfigure.availability.AvailabilityProbesHealthEndpointGroups cannot be cast to class org.springframework.boot.actuate.endpoint.web.AdditionalPathsMapper (org.springframework.boot.actuate.autoconfigure.availability.AvailabilityProbesHealthEndpointGroups and org.springframework.boot.actuate.endpoint.web.AdditionalPathsMapper are in unnamed module of loader 'app')
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[na:na]
	at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:720) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) ~[na:na]
	at org.springframework.boot.actuate.endpoint.web.annotation.DiscoveredWebEndpoint.getAdditionalPaths(DiscoveredWebEndpoint.java:60) ~[main/:na]
	at org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints.getAdditionalPaths(PathMappedEndpoints.java:133) ~[main/:na]
	at org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints.getAdditionalPaths(PathMappedEndpoints.java:129) ~[main/:na]
	at org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest$AdditionalPathsEndpointRequestMatcher.streamAdditionalPaths(EndpointRequest.java:413) ~[main/:na]
	at org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest$AdditionalPathsEndpointRequestMatcher.lambda$2(EndpointRequest.java:405) ~[main/:na]
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179) ~[na:na]
	at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:992) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[na:na]
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) ~[na:na]
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[na:na]
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[na:na]
	at org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest$AdditionalPathsEndpointRequestMatcher.createDelegate(EndpointRequest.java:406) ~[main/:na]
	at org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest$AbstractRequestMatcher.createDelegate(EndpointRequest.java:203) ~[main/:na]
	at org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest$AbstractRequestMatcher.initialized(EndpointRequest.java:193) ~[main/:na]
	at org.springframework.boot.security.servlet.ApplicationContextRequestMatcher.matches(ApplicationContextRequestMatcher.java:66) ~[main/:na]
	at org.springframework.security.web.util.matcher.RequestMatcher.matcher(RequestMatcher.java:48) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager.check(RequestMatcherDelegatingAuthorizationManager.java:82) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.access.intercept.RequestMatcherDelegatingAuthorizationManager.check(RequestMatcherDelegatingAuthorizationManager.java:49) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.authorization.ObservationAuthorizationManager.check(ObservationAuthorizationManager.java:77) ~[spring-security-core-6.4.2.jar:6.4.2]
	at org.springframework.security.authorization.AuthorizationManager.authorize(AuthorizationManager.java:69) ~[spring-security-core-6.4.2.jar:6.4.2]
	at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:96) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:181) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:243) ~[spring-webmvc-6.2.2.jar:6.2.2]
	at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:238) ~[spring-security-config-6.4.2.jar:6.4.2]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362) ~[spring-web-6.2.2.jar:6.2.2]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278) ~[spring-web-6.2.2.jar:6.2.2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.34.jar:10.1.34]
	at java.base/java.lang.Thread.run(Thread.java:840) ~[na:na]

It requires the use of EndpointRequest.toAdditionalPaths of which you've made no mention so I'm not sure that I'm looking at the same problem.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Feb 7, 2025
@tim-08df33fc
Copy link

Hi @wilkinsona

Please find the attached minimal reproduction with logs and traces:

demo.zip

application.log

http-trace.log

Many thanks for taking a look at this 🙏

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 7, 2025
@wilkinsona
Copy link
Member

Thanks, @tim-08df33fc. I can see that you're using Boot's default management security which uses EndpointRequest.toAdditionalPaths. This is the reactive equivalent of the failure I produced using the servlet stack.

@edudar-chwy I'd still welcome some information about your setup so that we can be sure that any fix addresses your problem too.

@wilkinsona wilkinsona added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Feb 7, 2025
@tim-08df33fc
Copy link

tim-08df33fc commented Feb 7, 2025
edited
Loading

Thank you @wilkinsona . I've provided my own security configuration with a SecurityWebFilterChain bean and that works around the problem:

package com.example.demo;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(
            ServerHttpSecurity http) {
        return http.authorizeExchange((exchanges) ->
                exchanges
                        .pathMatchers("/actuator/health/liveness").permitAll()
                        .pathMatchers("/actuator/health/readiness").permitAll()
                        .anyExchange().authenticated()).build();
    }
}

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 7, 2025
@wilkinsona wilkinsona added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Feb 7, 2025
@edudar-chwy
Copy link
Author

@wilkinsona, the stacktrace is pretty much identical to what @tim-08df33fc posted:

java.lang.ClassCastException: class org.springframework.boot.actuate.autoconfigure.availability.AvailabilityProbesHealthEndpointGroups cannot be cast to class org.springframework.boot.actuate.endpoint.web.AdditionalPathsMapper (org.springframework.boot.actuate.autoconfigure.availability.AvailabilityProbesHealthEndpointGroups and org.springframework.boot.actuate.endpoint.web.AdditionalPathsMapper are in unnamed module of loader 'app')
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
	at java.base/java.util.AbstractList$RandomAccessSpliterator.forEachRemaining(AbstractList.java:722)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575)
	at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260)
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616)
	at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622)
	at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627)
	at org.springframework.boot.actuate.endpoint.web.annotation.DiscoveredWebEndpoint.getAdditionalPaths(DiscoveredWebEndpoint.java:60)
	at org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints.getAdditionalPaths(PathMappedEndpoints.java:133)
	at org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints.getAdditionalPaths(PathMappedEndpoints.java:129)
	at org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest$AdditionalPathsEndpointServerWebExchangeMatcher.streamAdditionalPaths(EndpointRequest.java:397)
	at org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest$AdditionalPathsEndpointServerWebExchangeMatcher.lambda$createDelegate$0(EndpointRequest.java:389)
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:179)
	at java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:1024)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682)
	at org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest$AdditionalPathsEndpointServerWebExchangeMatcher.createDelegate(EndpointRequest.java:390)
	at org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest$AdditionalPathsEndpointServerWebExchangeMatcher.createDelegate(EndpointRequest.java:353)
	at org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest$AbstractWebExchangeMatcher.createDelegate(EndpointRequest.java:174)
	at org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest$AbstractWebExchangeMatcher.initialized(EndpointRequest.java:169)
	at org.springframework.boot.security.reactive.ApplicationContextServerWebExchangeMatcher.getContext(ApplicationContextServerWebExchangeMatcher.java:87)
	at org.springframework.boot.security.reactive.ApplicationContextServerWebExchangeMatcher.matches(ApplicationContextServerWebExchangeMatcher.java:59)
	at org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher.lambda$matches$1(OrServerWebExchangeMatcher.java:58)
	<lots of reactor traces down here>

We don't call EndpointRequest.toAdditionalPaths explicitly, that's why I didn't mention that. But yes, it's a part of the built-in security filter chain in ReactiveManagementWebSecurityAutoConfiguration.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 8, 2025
@wilkinsona wilkinsona changed the title Conflict between HealthEndpointConfiguration and AvailabilityProbesAutoConfiguration java.lang.ClassCastException when using default management security with WebFlux and health probes enabled Feb 8, 2025
@wilkinsona wilkinsona added type: regression A regression from a previous release and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Feb 8, 2025
@wilkinsona wilkinsona added this to the 3.4.x milestone Feb 8, 2025
@wilkinsona wilkinsona self-assigned this Feb 10, 2025
@wilkinsona wilkinsona mentioned this issue Feb 10, 2025
Closed
@wilkinsona wilkinsona modified the milestones: 3.4.x, 3.4.3 Feb 10, 2025
@Netyyyy Netyyyy mentioned this issue Feb 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: regression A regression from a previous release
Projects
None yet
Milestone
3.4.3
Development

No branches or pull requests
4 participants
@wilkinsona @spring-projects-issues @edudar-chwy @tim-08df33fc