How to disable Netty connection pool used by Spring security in Spring Cloud Gateway

[clavinovahan]

SpringBoot version: 2.2.1
Spring Cloud version: Hoxton.Release

We use Spring cloud gateway with Spring security OAuth2. Spring security OAuth2 use Netty to post request to IDP. We try to disable Netty connection Pool which Spring security OAuth2 uses with the following class but it seems no effect on it.

Spring security OAuth Filter still use Netty connection pool. I still see logs showing r.n.resources.PooledConnectionProvider. How do we configure this in Spring Cloud Gateway Application?

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.reactive.ClientHttpConnector;
import org.springframework.http.client.reactive.ReactorClientHttpConnector;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.netty.http.client.HttpClient;
import reactor.netty.tcp.TcpClient;

@configuration
public class WebClientConfig {
@bean
public WebClient webClient(final ClientHttpConnector clientHttpConnector) {
return WebClient.builder().clientConnector(clientHttpConnector).build();
}
@bean
public ClientHttpConnector clientHttpConnector() {
return new ReactorClientHttpConnector(HttpClient.from(TcpClient.newConnection()));
}
}

I uploaded the simple demo project to Github at the link below,
https://github.com/hanscrg/Sample-SpringCloudGateway-UAA

It is very simple, UAA is just Identity Provider. Build and run command are listed on the home page. The Gateway project only has 3 files. One file is for Gateway, other two files are trying to customize WebClient or ClientHTTPConnector used by Spring Security filter.

When you hit URL, http://localhost:8080/, the gateway will go through OAuth2 flow and finally show Test OK page. See the logs in Gateway project sample.log, you will find line

[reactor-http-nio-2] r.n.resources.PooledConnectionProvider : Creating new client pool [http] for localhost:8090

That means whatever http client or server customization does not take effective on the reactor.netty.http.client.HttpClientConnect as it still use Pool.

So anyway to disable that Netty Pool and let it create new connection every time?

[OlgaMaciaszek]

Please learn how to properly format code and logs.

[OlgaMaciaszek]

It seems that you are missing @Configuration in your config class. Also, the sample code actually contains HttpClient.create(ConnectionProvider.newConnection()) and not HttpClient.from(TcpClient.newConnection()).
Apart from this what your configuration will do is create a different client, not a different connectionProvider. Gateway sets the connectionProvider in GatewayAutoConfiguration class. By default, the pooled one is used. You can modify it in properties:

spring:
  cloud:
    gateway:
      httpclient:
        pool:
          type: disabled

Let me know if this is helpful.

[clavinovahan]

@OlgaMaciaszek, Thank you so much for your input. I have @configuration in my dev enviroment and also tried configure gateway http client pool as disable in applicaiton.yml but it seems does not impact the HTTP Client used by Spring Secuirty. I will try to update the GitHub demo project based on your input tonight and see how it goes and update the feedback by then. Again thanks a lot for looking into this issue.

[spencergibb]

I wouldn't think it would since that client is specific to the gateway. Have you asked in spring security?

[clavinovahan]

@spencergibb,

That is what I suspect. The webclient is in Spring Security OAuth2 filter.

We also post the question at Spring Security,
spring-projects/spring-security#7754

Also on Reactor-Netty
reactor/reactor-netty#938

So far no solution or work around yet. We are pending to PROD, this issue makes our Spring Cloud Gateway application login throw 500 error sporadically. It becomes outstanding. We understand this is due to AWS Load Balancing dropping idle connections. I believe this issue will be faced by most of the gateway applications deployed to cloud. We are seeking all kinds of solution or workaround urgently. Your input is greatly appreciated.

[spencergibb]

Having three open issues is not very good. Since the issue is in spring security that is the right place. The holidays are starting and many people are on leave.

[clavinovahan]

Yes, I fully understand. Due to the urgency, also they are quite related and impacted with each other. Each with different perspective. We hope Reactor Netty can solve the issue from the root but also hope Spring Security or Cloud Gateway can have some way to configure it with previous understanding both share the same WebClient configuration which maybe is incorrect.

[matjamesymj]

@clavinovahan did you ever get to the bottom of this?

[smalihaider]

I am facing the exact same issue - @clavinovahan were you able to get this resolved?

[maciejwitwicki]

@matjamesymj @smalihaider I've also had problem with this so I've created an issue in the spring-security project: spring-projects/spring-security#12655. We have also worked around this problem, so I'll try to describe it in the issue, hopefully that will help any other folks that will run into this.