BearerTokenAccessDeniedHandler Class Definition Not found

Question

I'm trying a demo project with spring boot 2.1.1 and spring sec 5, as an OAuth2 resource server however when I try to run the following

ENV

• Spring Boot 2.1.1 RELEASE

• Spring Security Core 5.1.2

• Java 8

CODE

    @RestController
    @SpringBootApplication
   //  @EnableResourceServer
    public class MyApplication {

    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
    @GetMapping("/hello")
    public String sayHello() {
    return "Hello World";
    }

    @Configuration
    static class MyWebSecurityConfigurerAdapter extends 
    WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests().anyRequest().authenticated()
                .and()
                .oauth2ResourceServer().jwt(); // <--- throws error

        }
      }

    }

Which throws the error

Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.NoClassDefFoundError: org/springframework/security/oauth2/server/resource/web/access/BearerTokenAccessDeniedHandler

BUILD

My dependencies look like

dependencies {

implementation('org.springframework.boot:spring-boot-starter-web')
implementation('org.springframework.boot:spring-boot-starter-security')
implementation(group: 'org.springframework.security.oauth.boot', name: 'spring-security-oauth2-autoconfigure', version: '2.1.1.RELEASE')

implementation(group: 'org.springframework.security.oauth', name: 'spring-security-oauth2', version: '2.3.4.RELEASE')
}

Answer 1

The exception disappeared when I added spring-boot-starter-oauth2-resource-server dependency

Answer 2

Me too.

But I found it in org.springframework.boot:spring-boot-starter-oauth2-resource-server

---

By the way, I imported org.springframework.boot:spring-boot-starter-oauth2-resource-server package and use:

        http
                .authorizeRequests()
                .antMatchers("/**").hasAnyRole("admin")
                .anyRequest().authenticated();
                //.and()
                //.oauth2ResourceServer() don't use it,
                //.jwt();
                // Do not use it, otherwise you must define 
                // jwtDecoderByIssuerUri or jwtDecoderByJwkKeySetUri

If you want to enable oauth2ResourceServer,maybe you need to wait for Spring Security 5.3.x.

Maybe it related to next-generation-oauth-2-0-support-with-spring-security

Answer 3

I upvoted the other answers, but I used "implementation" in my build.gradle file

implementation 'org.springframework.security:spring-security-oauth2-resource-server'

The compile configuration still exists but should not be used as it will not offer the guarantees that the api and implementation configurations provide.

The above quote from: (( https://docs.gradle.org/current/userguide/java_library_plugin.html#sec:java_library_separation ))

My full file below

plugins {
    id 'java'
}

group 'com.mycompany.mything'
version '1.0-SNAPSHOT'

sourceCompatibility = 1.8


repositories {
    mavenCentral()
}

apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'


dependencies {

implementation 'org.springframework.boot:spring-boot-starter-data-rest'
implementation 'org.springframework.boot:spring-boot-starter-data-jpa'



implementation 'org.springframework.boot:spring-boot-starter-security'
//    implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.security:spring-security-oauth2-resource-server'
implementation 'org.springframework.security:spring-security-oauth2-jose'
//    implementation 'org.springframework.security:spring-security-config'






}

Also see

https://medium.com/mindorks/implementation-vs-api-in-gradle-3-0-494c817a6fa

for implementation vs api discussion