Hello, i caught strange behavior, when did disable anonymous() in WebSecurityConfigurerAdapter with oauth2ResourceServer().jwt() option. This setting throws an exception on startup: An AuthenticationManager is required. Used version: 2.2.4.RELEASE. The same settings work on 2.1.x.RELEASE
Yes, i understand, if specify a bean, the error will disappear, but this behavior seems strange.
public class AnonymousDisableApplication extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.anonymous()
.disable()
.oauth2ResourceServer()
.jwt()
;
}
}
Comment From: cccs-cat001
What was the fix for this issue? I'm currently hitting it with this config:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AADAppRoleStatelessAuthenticationFilter aadAuthFilter;
@Bean
public AuthenticationEntryPoint entrypoint() {
System.out.println("ENTRYPOINT");
return new AuthenticationEntryPoint();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("CONFIG");
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER);
http.anonymous().disable();
http.authorizeRequests().antMatchers("OPTIONS", "/**").permitAll()
.antMatchers("/login", "/login/**").permitAll().anyRequest().authenticated().and()
.exceptionHandling().authenticationEntryPoint(entrypoint());
http.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class);
}
}
Comment From: jzheaux
Thanks, @cccs-cat001 for reaching out, but I don't think it's the same situation. The reported issue was for when oauth2ResourceServer() and anonymous().disabled() were combined.
I believe your issue is that you haven't specified any authentication mechanisms. If you have control over how AADAppRoleStatelessAuthenticationFilter is coded, consider creating an authentication provider instead and wiring that into the DSL.
If that doesn't address your question, please consider posting to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or file a ticket if you feel this is a genuine bug.
Comment From: cselagea
I'm hitting this issue when using an AuthenticationManagerResolver. Here's my configuration:
@Configuration
@ConditionalOnClass(ServletRegistration.class)
@ConditionalOnProperty(
value = "spring.main.web-application-type",
havingValue = "servlet",
matchIfMissing = true)
@Import(JwtAuthenticationConfiguration.class)
@EnableWebSecurity
public class WebSecurityAutoConfiguration {
@Bean
public SecurityFilterChain bearerTokenSecurityFilterChain(
HttpSecurity http,
AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) throws Exception {
return http
.authorizeRequests(authorize -> authorize.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver))
.anonymous().disable()
.build();
}
}
where the authenticationManagerResolver bean is an instance of JwtIssuerAuthenticationManagerResolver that's configured in JwtAuthenticationConfiguration.
The following test fails due to "java.lang.IllegalArgumentException: An AuthenticationManager is required".
@Test
void verifySecurityFilterChainIsCreated() {
new WebApplicationContextRunner()
.withConfiguration(AutoConfigurations.of(WebSecurityAutoConfiguration.class, SecurityAutoConfiguration.class))
.run(context -> assertThat(context).hasBean("bearerTokenSecurityFilterChain"));
}
@jzheaux should I open a new issue to report this?
Comment From: jzheaux
Please do, @cselagea. Also, if you provide a reproducing sample, then that can help accelerate any needed fix.
Comment From: cselagea
Also, if you provide a reproducing sample, then that can help accelerate any needed fix.
I'll probably fork this repository and try to add a test to OAuth2ResourceServerConfigurerTests that reproduces the problem, if that makes sense @jzheaux.