-
-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JwtIssuerReactiveAuthenticationManagerResolver bean from autoconfiguration has a bug #100
Comments
… from autoconfiguration
Good catch. Would you create a PR for that? If I just copy your code, you would not get the authoring. |
…ssuer is not listed in configuration Thank you for your contribution!
…utoconfiguration bugfix
@lArtiquel I just released
Both are now available from maven-central (I just checked) I also updated the main README (after the releases so that there is no risk one finds it in README but not on maven-central) Thank you again for reporting the bug, finding a fix and submitting a PR for each branch! Do not hesitate to submit a feature request if your are missing something on the 5.x branch that would be only on the 6.x. I'd handle the backport. |
Description
Hello 👋
I spotted a small bug while testing a multi-tentancy feature.
Expected Result
In my use-case scenario, REST API endpoint call to the resource server with auth token issued by Realm not specified in the
com.c4-soft.springaddons.security.issuers[*].location
list, should return 401 (Unauthorized) Status Code instead of 500 SC.Debugging process explained
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver$ResolvingAuthenticationManager.ResolvingAuthenticationManager#authenticate()
, I found out that the issue is on the following line when we try to resolveAuthenticationManager
against non-existent manager in the map.issuerAuthenticationManagerResolver
bean gets created that is used here. I found it in theAddonsWebSecurityBeans.java
config class, here it is:Resolver
does return a null in case if Manager with such issuer URI does not exist in the mapTherefore, I just patched that line to:
And used that Bean instead and after that I got expected 401 SC in the response 🎉 .
Additional info
Reactive (WebFlux) application.
Spring Addon dependency used:
implementation "com.c4-soft.springaddons:spring-addons-webflux-jwt-resource-server:$5.4.0"
I could not use 6.x versions b/c of my Spring Boot (2.5.9) version. But I see in the source code that the bug is still there ;)
Questions
Can open a PR with that quickfix?
In the case of approval, could you please release that fix for 5.x version (e.g. 5.4.1) for me so that I could use it without hacking this autocofiguration bean?
Thanks 🙏
The text was updated successfully, but these errors were encountered: