SecurityContextHolderFilter does not apply to async dispatch #11962
Comments
jkjome
added
status: waiting-for-triage
|
Hi @jkjome!
Not that I'm aware of. Thanks for reaching out. There have been a number of changes recently to update defaults for various aspects of the framework. As we're heads down preparing for this release, it would be helpful if you could provide a minimal, reproducible sample. The above code sample does not provide a way to run a reproducible example, such as a unit test or a self-contained Spring Boot application (with instructions for reproducing). Can you provide one? |
sjohnr
added
status: waiting-for-feedback
|
It occurred to me that my Spring Security inbound rules were affecting outbound WebClient calls. I did a search and found issue #10589 that confirmed my suspicion that something like that might be occurring. I played with some settings and found a new API that appears to resolve my issue under spring-security:6.0.0-M6+ (and wasn't necessary prior to that). It seems to me that this just shouldn't happen... and doesn't under prior versions of Spring Security. If I provide Of course, I don't know if this is the appropriate approach, nor whether something else in my config should just be changed so that @Bean
SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
http.authorizeHttpRequests(cstmzr -> cstmzr
.shouldFilterAllDispatcherTypes(false) //<-- Fixes WebClient issue, but what does it do???
.anyRequest().authenticated()
)
.csrf(cstmzr -> cstmzr.disable())
.httpBasic(withDefaults());
return http.build();
} |
spring-projects-issues
added
status: feedback-provided
|
@marcusdacoregio do we have any documentation on the new method, or thoughts about the above issue? |
|
Thanks @marcusdacoregio. @jkjome it seems you’re experiencing symptoms of a new default in 6.0, but I’d like to understand the scenario as well. I’m less familiar with dispatcher types in Spring, but I’m guessing you’re operating under another type, such as ASYNC. I think the minimal sample will help quite a bit because there’s a number of things that could be going on. I wonder for example what your client security configuration looks like, as well as whether the server you’re accessing is affecting things. I can’t tell just glancing at the code provided. |
sjohnr
added
status: waiting-for-feedback
|
Just wanted to mention that I can replace However, it's been difficult to come up with a minimal testcase. I tried a minimal setup where I made an outbound I've been trying to come up with my own self-signed cert to try to create a minimal testcase, but I keep running into various certificate errors attempting to use it. So far, the only way I can reproduce this is by using my own real certiificate against a URL that accepts my certificate for Client Cert-based Auth. And, obviously, I can't publish that. So, I'm hoping somone on the spring-security team will have more certificate knowledge/mojo to re-create the scenario I've described. Below are the complete contents of the log, including stacktraces, that result when I don't use one of the above two workarounds when calling one of my Client Cert-based Auth protected URLs using |
spring-projects-issues
added
status: feedback-provided
|
Thanks @jkjome. At this point, if you could at least share the your client code, mainly the entire controller and the Spring Security configuration, that would be helpful. I also think the log entries leading up to the stacktraces would be useful, but do make sure to set the log level to trace ( |
sjohnr
added
status: waiting-for-feedback
|
Hi @sjohnr. See the attached zip file containing the code, as well as a text file containing relevant trace logging you requested: wcauthfail.zip After further testing, it looks like there are 3 ingredients required to reproduce this issue...
The zip file contains an The The Hopefully that is all you will need to determine the root cause of this issue and prevent it from leaking into a non-milestone release. |
spring-projects-issues
added
status: feedback-provided
|
Thanks @jkjome. After looking at the provided sample and creating a simple parallel example of my own, I believe I have partially reproduced it without Client-Cert auth. I can reproduce an I believe the Specifically, Spring Security does support Prior to I'm not yet sure why your sample case is allowed write a Short of adding an enhancement to support an expanded set of return types for Asynchronous request processing in Spring Security, I'm not sure this case would require fixing in time for the release (or indeed is even a bug, but an expected outcome in 6.0). I could be wrong, of course. We'll keep the issue open and revisit this after |
sjohnr
added
in: web
|
Hello, I think I have the same issue, but with a controller, returning a @Bean
BearerTokenResolver bearerTokenResolver() {
final DefaultBearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
bearerTokenResolver.setAllowUriQueryParameter(true);
return bearerTokenResolver;
}When I am issuing a GET with a token in parameter, it is accepted but then an exception is thrown: The current workaround is to add @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.cors(Customizer.withDefaults());
// Disable csrf, this is a stateless API
http.csrf().disable();
// Disable cookies
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// All the requests that target the access API are set up with a custom JWT
// authentication
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers(apiConfig.getPermitAllWhitelist()).permitAll()
.dispatcherTypeMatchers(DispatcherType.ASYNC).permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer
.jwt(jwt -> jwt.decoder(jwtDecoder()))
.authenticationEntryPoint(this::onAuthenticationError));
return http.build();
} |
|
I'm not sure this is really fixed on v5.8.2 in Servlets. This breaks Controller methods that use e.g. CompletableFuture, returning a 401 despite the request having been executed. I'm not married to v5.8 and intend to upgrade to v6 right afterwards, so I'm happy to just add |
|
Hi @napstr, Are you using With that said, if you can confirm that this is not fixed and provide a minimal sample where we could go directly to the problem I recommend that you open a new issue and provide all the details there. |
|
@napstr, in addition to http
// ...
.securityContext((securityContext) -> securityContext
.requireExplicitSave(true)
.securityContextRepository(new DelegatingSecurityContextRepository(
new RequestAttributeSecurityContextRepository(),
new HttpSessionSecurityContextRepository()
))
); |
|
Apologies for the late response. I tried specifying the |
|
Although I applied all the solutions on the internet, I still could not solve the problem. Synchronous method in my controller works normally. https://github.com/fkbeys/javasprinasyncauthproblem |
|
Hi @fkbeys, it would be better if you could provide a minimal, reproducible sample. But I guess that you forget to save the Since it looks like you are not using HTTP sessions, you might want to use the |
Thank you for your help. and also, in filter chain, i set the requireExplicitSave option as true. |
|
Hi @fkbeys Could you please add detailed solution how you fixed this : I am using it like this but could not fix the issue : // .securityContext((securityContext -> securityContext.securityContextRepository(new RequestAttributeSecurityContextRepository()))) |
I have added 4 txt files for the authentication. they are actually .java files. |
|
Thank you @fkbeys for the detailed solution of yours. |
For Spring Security 6.1.2 , I cannot override the below method: its no longer there in SecurityContextHolderFilter |
Hi @marcusdacoregio , the overridden method : only works for spring 3.0.0 and not for 3.0.6 or 3.0.1. How can I fix the issue in this case? |
|
Hi @kotharikrati, you should not need the workaround anymore if you are using the latest version of Spring Security or at least >= 5.8.1 or >= 6.0.1. If you have the same error it is likely another thing is happening, please add |
|
Hi @marcusdacoregio , I will check again . Thank you! |
|
If anyone is experiencing a similar problem, it may be helpful to check the document below. https://docs.spring.io/spring-security/reference/5.8/migration/servlet/session-management.html |
Hello, As for other custom filters used in Spring Security , the method shouldNotFilterAsyncDispatch still exists. Thanks to the SpringSource Team for this great framework ! |
|
@pmouawad did you find anything related with it ? |
|
in Spring Security 6.3.1 this configuration works for us: |
Describe the bug
As mentioned in gitter...
My app currently runs on Spring Boot 2.7.4. I was testing compatibility with 3.0.0-M5. All appeared to work well except one aspect of spring-security, as part of presenting a client certificate using WebClient. I end up with "AccessDeniedException: Access is denied" thrown by AffirmativeBased.decide(AffirmativeBased.java:73). The handshake appears to work fine, and the handshake logging looks nearly identical to that under 2.7.4. But I got it to work after downgrading to spring-security:6.0.0-M5 (from M7). So, it seems something broke as of spring-security:6.0.0-M6. Is this a known issue, and will it be fixed in the next spring-security release?
To Reproduce
Expected behavior
Client certificate authentication succeeds... as it does under both Spring Boot 2.7.4 and 3.0.0-M5 with spring-security downgraded to 6.0.0-M5 (from 6.0.0-M7)
Sample
The text was updated successfully, but these errors were encountered: