Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AntMatchers+oauth2 are not working on spring-boot 2.5.7+ #29158

Closed
Enigo opened this issue Dec 23, 2021 · 1 comment
Closed

AntMatchers+oauth2 are not working on spring-boot 2.5.7+ #29158

Enigo opened this issue Dec 23, 2021 · 1 comment
Labels
status: invalid An issue that we don't feel is valid

Comments

@Enigo
Copy link

Enigo commented Dec 23, 2021
edited

Can be seen in action here --> https://github.com/Enigo/SpringSecurityBug

Expected behaviour

antMatchers together with oauth2ResourceServer are working properly on both 2.5.6 and 2.5.7+ spring-boot-starter-parent versions

Current behaviour

When updated to spring-boot-starter-parent versions version 2.5.7 antMatchers together with oauth2ResourceServer are not working anymore - Failed to authorize filter invocation

I think the relevant logs would be
2.5.7

2021-12-23 14:48:10.484 DEBUG 9552 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-12-23 14:48:10.717 DEBUG 9552 --- [nio-8080-exec-6] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2021-12-23 14:48:10.717 DEBUG 9552 --- [nio-8080-exec-5] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2021-12-23 14:48:10.718 DEBUG 9552 --- [nio-8080-exec-5] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@8dfbdb19, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN]]
2021-12-23 14:48:10.718 DEBUG 9552 --- [nio-8080-exec-6] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@8dfbdb19, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN]]
2021-12-23 14:48:10.727 DEBUG 9552 --- [nio-8080-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [GET /api/exchanges/] with attributes [hasAnyRole('ADMIN, USER')]
2021-12-23 14:48:10.730 DEBUG 9552 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2021-12-23 14:48:10.732 DEBUG 9552 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

2.5.6


2021-12-23 14:54:26.282 DEBUG 10533 --- [nio-8080-exec-8] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2021-12-23 14:54:26.898 DEBUG 10533 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Securing GET /api/exchanges/
2021-12-23 14:54:26.899 DEBUG 10533 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2021-12-23 14:54:26.903 DEBUG 10533 --- [nio-8080-exec-9] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2021-12-23 14:54:26.904 DEBUG 10533 --- [nio-8080-exec-9] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@8dfbdb19, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ADMIN]]
2021-12-23 14:54:26.904 DEBUG 10533 --- [nio-8080-exec-9] o.s.s.w.a.i.FilterSecurityInterceptor    : Authorized filter invocation [GET /api/exchanges/] with attributes [hasAnyRole('ADMIN, USER')]
2021-12-23 14:54:26.904 DEBUG 10533 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Secured GET /api/exchanges/
2021-12-23 14:54:26.906 DEBUG 10533 --- [nio-8080-exec-9] o.s.s.a.i.a.MethodSecurityInterceptor    : Authorized ReflectiveMethodInvocation: public java.lang.Iterable ExchangeController.getAllExchanges(); target is of class [com.smaato.sem.rest.exchange.ExchangeController] with attributes [ROLE_USER, ROLE_ADMIN]
2021-12-23 14:54:26.922 DEBUG 10533 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

On the version 2.5.7 all is2xxSuccessful tests are failing with

java.lang.AssertionError: Range for response status value 403 expected:<SUCCESSFUL> but was:<CLIENT_ERROR>
Expected :SUCCESSFUL
Actual   :CLIENT_ERROR

Reproducible also on

https://github.com/spring-projects/spring-boot/releases/tag/v2.4.13
https://github.com/spring-projects/spring-boot/releases/tag/v2.6.0
There is a similar set of changes across those 3 versions

Note!
I also added

spring:
  mvc:
    pathmatch:
      matching-strategy: ant_path_matcher

but it didn't help.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 23, 2021
@philwebb
Copy link
Member

Spring Framework recently fixed a bug involving SpEL expressions and commas. Unfortunately your configuration relies on this bug.

If you change this line of your SecurityConfiguration from hasAnyRole('ADMIN, USER') to hasAnyRole('ADMIN', 'USER') things work as expected.

@philwebb philwebb added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@philwebb @Enigo @spring-projects-issues