Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebSessionServerOAuth2AuthorizedClientRepository throws NPE when session is null #14975

Closed
akovalyev opened this issue Apr 27, 2024 · 1 comment · May be fixed by #14977
Closed

WebSessionServerOAuth2AuthorizedClientRepository throws NPE when session is null #14975

akovalyev opened this issue Apr 27, 2024 · 1 comment · May be fixed by #14977
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@akovalyev
Copy link

akovalyev commented Apr 27, 2024
edited

Describe the bug
This line session.getAttributes() throws NPE, if we have WebSession bean configuration like this to disable WebSession:

@Bean
    fun webSessionManager(): WebSessionManager {
        // Emulate SessionCreationPolicy.STATELESS
        return WebSessionManager { exchange: ServerWebExchange? -> Mono.empty() }
    }

Expected behavior
I thing we may do null-safety when we are trying to call getAuthorizedClients in this place with nullable session.

Configuration
Spring Cloud Gateway.

@Bean
    fun authorizedClientManager(
        clientRegistrationRepository: ReactiveClientRegistrationRepository,
        authorizedClientRepository: ServerOAuth2AuthorizedClientRepository
    ): ReactiveOAuth2AuthorizedClientManager {
        val authorizedClientProvider = ReactiveOAuth2AuthorizedClientProviderBuilder
            .builder()
            .clientCredentials()
            .build()
        val authorizedClientManager = DefaultReactiveOAuth2AuthorizedClientManager(
            clientRegistrationRepository, authorizedClientRepository
        )
        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider)
        return authorizedClientManager
    }

    @Bean
    fun springSecurityFilterChainNonProd(
        httpSecurity: ServerHttpSecurity,
        someIntrospector: SomeIntrospector,
    ): SecurityWebFilterChain? {
        return httpSecurity
            .cors(Customizer.withDefaults())
            .authorizeExchange { auth ->
                auth.anyExchange().authenticated()
            }
            .oauth2ResourceServer { oauth2 ->
                oauth2.opaqueToken {
                    it.introspector(someIntrospector)
                }
            }
            .csrf { csrf -> csrf.disable() }
            .logout { logout -> logout.disable() }
            .build()
    }
@akovalyev akovalyev added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 27, 2024
@dukbong dukbong mentioned this issue Apr 28, 2024
Open
@sjohnr
Copy link
Member

sjohnr commented May 2, 2024

@akovalyev, thanks for reaching out!

I want to point out that the javadoc for WebSessionManager states:

Return the {@link WebSession} for the given exchange. Always guaranteed
to return an instance either matching to the session id requested by the
client, or a new session either because the client did not specify one
or because the underlying session expired.

Your configuration does not honor the contract and therefore the issue is in your application. I'm happy to help you find a way to support your use case, but we prefer to use GitHub issues only for bugs and enhancements, so it would be best to ask a question on Stack Overflow and update this issue with a link to the question (so that other people can find it).

I'm going to close this issue for now with the above explanation.

@sjohnr sjohnr closed this as completed May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
2 participants
@sjohnr @akovalyev