Spring security context added as additional http header to http request via service invocation

[javageek79]

Expected Behavior

During service invocation, we are affected by #3408. This is mainly because the entire spring security context is added as a header to the request. In our case, this exceeds the default allowed header size for fasthttp requests.
As the service beeing called has no secured endpoint in this case, the security context is of no use during this workflow.
I would expect, that per default a tranfer of security context information via service invocation is disabled, an that it can be added, if needed.

Actual Behavior

service invocation in context of a spring security application breaks during runtime with a too large http header. see #3408

Steps to Reproduce the Problem

Have a spring security context containing many roles and scopes received e.g. by an oauth2 jwt token.

Release Note

RELEASE NOTE:

[stefanJ-hub]

is there actually a reason why the spring security context is added as header to the service invocation?
(i do not see a reason here)

as @javageek79 mentioned - if this can not be "simply" dropped; would be good if we can at least toggle it off.

if you know some mediation approaches (that can be applied just now) - to have the security context NOT passed into the service invocation - we would be happy to hear ;-)

[artursouza]

Is the Spring security context coming from the frontend calling into the backend and then Dapr sidecar? I would like to understand the flow.

[javageek79]

Hi @artursouza, yes, the flow is as follows
"public" REST API -- spring security -> Service A -- dapr service invocation -> Service B

[artursouza]

I am working on an integration test to repro this. Thanks.

[artursouza]

@javageek79 PR is merged, please try using the SDK version 1.4.0-SNAPSHOT

[stefanJ-hub]

@artursouza fix works for us. looking forward to a released SDK