Summary
Spring Security uses class from OAuth2 project which results into NoClassDefFoundError.
Actual Behavior
When including following versions (in non-Boot application):
def springSecurityVersion = '5.3.1.RELEASE'
compile group: 'org.springframework.security', name: 'spring-security-core', version: springSecurityVersion
compile group: 'org.springframework.security', name: 'spring-security-web', version: springSecurityVersion
compile group: 'org.springframework.security', name: 'spring-security-config', version: springSecurityVersion
and using following configuration:
<http>
<intercept-url pattern="/**" access="authenticated" />
<oauth2-resource-server>
<jwt jwk-set-uri="${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}"/>
</oauth2-resource-server>
</http>
the application runs into following problem:
org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/spring/security.xml]; nested exception is java.lang.NoClassDefFoundError: org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPoint
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:415) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:336) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:305) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:188) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:224) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:195) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:125) ~[spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:94) ~[spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:133) ~[spring-context-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:637) ~[spring-context-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:522) ~[spring-context-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:401) ~[spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:292) ~[spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103) [spring-web-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:957) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:552) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:922) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:364) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1497) [jetty-webapp-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1459) [jetty-webapp-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:852) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:278) [jetty-servlet-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:545) [jetty-webapp-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.akhikhl.gretty.JettyWebAppContext.doStart(JettyWebAppContext.groovy:44) [gretty-runner-jetty94-2.3.1.jar:na]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:168) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:138) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.Server.start(Server.java:415) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:108) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:113) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.server.Server.doStart(Server.java:382) [jetty-server-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.eclipse.jetty.util.component.LifeCycle$start$0.call(Unknown Source) [jetty-util-9.4.14.v20181114.jar:9.4.14.v20181114]
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120) [groovy-2.4.15.jar:2.4.15]
at org.akhikhl.gretty.JettyServerManager.startServer(JettyServerManager.groovy:48) [gretty-runner-jetty-2.3.1.jar:na]
at org.akhikhl.gretty.ServerManager$startServer$0.call(Unknown Source) [gretty-runner-2.3.1.jar:na]
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:128) [groovy-2.4.15.jar:2.4.15]
at org.akhikhl.gretty.Runner.run(Runner.groovy:121) [gretty-runner-2.3.1.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_111]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_111]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_111]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_111]
at org.springsource.loaded.ri.ReflectiveInterceptor.jlrMethodInvoke(ReflectiveInterceptor.java:1427) [springloaded-1.2.8.RELEASE.jar:1.2.8.RELEASE]
at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrapNoCoerce.invoke(PogoMetaMethodSite.java:210) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.call(PogoMetaMethodSite.java:71) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-2.4.15.jar:2.4.15]
at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120) [groovy-2.4.15.jar:2.4.15]
at org.akhikhl.gretty.Runner.main(Runner.groovy:48) [gretty-runner-2.3.1.jar:na]
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPoint
at org.springframework.security.config.http.OAuth2ResourceServerBeanDefinitionParser.<init>(OAuth2ResourceServerBeanDefinitionParser.java:74) ~[spring-security-config-5.3.1.RELEASE.jar:5.3.1.RELEASE]
at org.springframework.security.config.http.AuthenticationConfigBuilder.createBearerTokenAuthenticationFilter(AuthenticationConfigBuilder.java:520) ~[spring-security-config-5.3.1.RELEASE.jar:5.3.1.RELEASE]
at org.springframework.security.config.http.AuthenticationConfigBuilder.<init>(AuthenticationConfigBuilder.java:197) ~[spring-security-config-5.3.1.RELEASE.jar:5.3.1.RELEASE]
at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.createFilterChain(HttpSecurityBeanDefinitionParser.java:157) ~[spring-security-config-5.3.1.RELEASE.jar:5.3.1.RELEASE]
at org.springframework.security.config.http.HttpSecurityBeanDefinitionParser.parse(HttpSecurityBeanDefinitionParser.java:107) ~[spring-security-config-5.3.1.RELEASE.jar:5.3.1.RELEASE]
at org.springframework.security.config.SecurityNamespaceHandler.parse(SecurityNamespaceHandler.java:115) ~[spring-security-config-5.3.1.RELEASE.jar:5.3.1.RELEASE]
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1391) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1371) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:179) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.doRegisterBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:149) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:96) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:509) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:389) ~[spring-beans-5.2.5.RELEASE.jar:5.2.5.RELEASE]
... 56 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint
at java.net.URLClassLoader.findClass(URLClassLoader.java:381) ~[na:1.8.0_111]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[na:1.8.0_111]
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331) ~[na:1.8.0_111]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[na:1.8.0_111]
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:556) ~[na:na]
at org.akhikhl.gretty.FilteringClassLoader.loadClass(FilteringClassLoader.java:72) ~[gretty-runner-jetty94-2.3.1.jar:na]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[na:1.8.0_111]
... 69 common frames omitted
Expected Behavior
Spring Security should be self sufficient and if there is some missing dependency, it should be resolved internally, without developer needing to add another dependencies to his build.
Version
5.3.1.RELEASE
Comment From: dulakm
My bad. I must have overlooked note in https://docs.spring.io/spring-security/site/docs/current/reference/html5/#dependencies.