There are two issues here, one is directly related to Netty which is used by Spring Security - Connection rest by peer, but it is also about how Spring Security configure it; the other issue is no documented way for applications leverage Spring security to customized Spring Security's webclient or httpclientconnector - Netty HTTP Client.

We uses Spring Cloud Gateway/Spring Security for Authentication/Authorization and it's OAuth2 Authentication filter uses Netty http client to post token request to Identity Provider. It appears that the load balancer often disconnects the connections (Channels) in the Netty connection pool. We are seeking the ways either disable that connection pool or set idle timeout to a limit time so that connection in the pool get disposed instead of load balancer to disconnect it while OAuth2 filter start to post http request using that connection.

What is the way in Spring Security to do that since we do not create WebClient or HTTPClientConnector in our application and it is Spring OAuth2 Authentication filter doing so?

We tried to configure Spring Cloud Gateway HTTP Client parameters but it does not affect Netty HTTP Client which is used by Spring OAuth2 Authentication filter.

SpringBoot version: 2.2.1 Spring Cloud version: Hoxton.Release Spring Security: 5.2.1

I uploaded the simple demo project to Github at the link below, https://github.com/hanscrg/Sample-SpringCloudGateway-UAA

It cannot demo the connection reset by peer issue as there is no load balancer between Spring Gateway application/Spring Security and UAA. It demos the way we try to disable Netty Connection Pool does not work. Build and run command are listed on the home page.

When you hit URL, http://localhost:8080/, the gateway will go through OAuth2 flow and finally show Test OK page. See the logs in Gateway project sample.log, you will find line

[reactor-http-nio-2] r.n.resources.PooledConnectionProvider : Creating new client pool [http] for localhost:8090

That means whatever http client or server customization does not take effective on the reactor.netty.http.client.HttpClientConnect created by Spring Security filter as it still use Pool.

Spring cloud gateway gives the way to configure its HTTP client such as spring.cloud.gateway.httpclient.pool.type, is there anyway for Spring Security to give similar way to customize its HTTP client?

Comment From: fhanik

hi @hanscrg

Thank you for the detailed description and sample. I'm not actually seeing an issue in your initial response. Rather I see a question

What is the way in Spring Security to do that since we do not create WebClient or HTTPClientConnector in our application and it is Spring OAuth2 Authentication filter doing so?

We reserve Github issues for bugs and enhancements for practical reasons. Questions we encourage you to go to https://stackoverflow.com/questions/tagged/spring-security and ask, as that community is fairly large.

We also have a Gitter channel, albeit a smaller community: https://gitter.im/spring-projects/spring-security

Comment From: clavinovahan

@fhanik, I do not agree with the decision to close this ticket. Due to Spring security using Netty connection pool for OAuth, it failed OAuth token request when network components drops the connection after idle timeout. Although the issue is rooted in Netty connection pool retry, Spring Security should expose the configuration way on HTTP Client it creates like Spring Cloud Gateway doing so the applications leveraging Spring Security can customize the HTTP client to disable the connection pool. If Spring Security does not expose HTTP Client configuration, then this will be something to enhance. I would suggest reopen this ticket.

Comment From: fhanik

@hanscrg I don't disagree with you.

I'm asking you to open a new ticket, with an enhancement request for exposing underlying configuration under the WebClient.

This ticket brings in a lot of outside libraries, a sample that is very encompassing and at the same time overwhelming. This issue, in other words, describes a symptom and asks a question.

I am simply suggesting to open a very simple ticket, that is very clear 1. It's an enhancement request 2. What properties you wish to expose.

That's probably easier than to reopen and rewrite this ticket, and will be much clearer to the community on what we're trying to achieve..

Comment From: clavinovahan

@fhanik, I got it. I will open a ticket for enhancement request.