#100 JwtIssuerReactiveAuthenticationManagerResolver bean from autoconfiguration bugfix #101
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Hello π
I spotted a small bug while testing a multi-tentancy feature.
Expected Result
In my use-case scenario, REST API endpoint call to the resource server with auth token issued by Realm not specified in the
com.c4-soft.springaddons.security.issuers[*].location
list, should return 401 (Unauthorized) Status Code instead of 500 SC.Debugging process explained
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver$ResolvingAuthenticationManager.ResolvingAuthenticationManager#authenticate()
, I found out that the issue is on the following line when we try to resolveAuthenticationManager
against non-existent manager in the map.issuerAuthenticationManagerResolver
bean gets created that is used here. I found it in theAddonsWebSecurityBeans.java
config class, here it is:Resolver
does return a null in case if Manager with such issuer URI does not exist in the mapTherefore, I just patched that line to:
And used that Bean instead and after that I got expected 401 SC in the response π .
Additional info
Reactive (WebFlux) application.
Spring Addon dependency used:
implementation "com.c4-soft.springaddons:spring-addons-webflux-jwt-resource-server:$5.4.0"
I could not use 6.x versions b/c of my Spring Boot (2.5.9) version. But I see in the source code that the bug is still there ;)
Questions
In the case of approval, could you please release that fix for 5.x version (e.g. 5.4.1) for me so that I could use it without hacking this autocofiguration bean?
Thanks π