Menu
I'm not really a Java developer, but a project for a client has required me to be, so maybe I'm missing something glaringly obvious.
I'm using SpringBoot and everything works fine when the application runs in Tomcat on my local machine and on our testing server. However, as soon as the application is deployed to Weblogic it's as if there is no security at all with all routes accessible. Login and logout routes are non-existent as well.
That being said. Everything else appears to work fine, just without any security at all.
I don't have access to Weblogic as the client is the one deploying the code but they have told us that it's running on 12c. What can I do to fix or troubleshoot this?
Here's the relevant config from my Application.java:
/**
* The type Authentication security.
*/
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
/**
* The Users.
*/
@Autowired
private Users users;
/**
* Init void.
*
* @param auth the auth
* @throws Exception the exception
*/
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(users).passwordEncoder(new BCryptPasswordEncoder());
}
}
/**
* The type Application security.
*/
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
/**
* Configure void.
*
* @param http the http
* @throws Exception the exception
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.authorizeRequests()
.antMatchers("/vendor/*","/public/**/*","/partners/*","/events/*", "/login").permitAll()
.anyRequest().fullyAuthenticated().and().formLogin().loginPage("/login")
.and().logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout")).and()
.exceptionHandling().accessDeniedPage("/access?error");
// @formatter:on
}
}
Thanks in advance.
440
WebLogic Server supports the open source Spring projects when they are used in Java EE applications.
If Spring Security is on the classpath, Spring Boot automatically secures all HTTP endpoints with “basic” authentication. However, you can further customize the security settings. The first thing you need to do is add Spring Security to the classpath.
React + Spring Boot Microservices and SpringBy using Spring Boot application, we can create a war file to deploy into the web server. In this chapter, you are going to learn how to create a WAR file and deploy the Spring Boot application in Tomcat web server.
It sounds as though you are running into SEC-2465. In short, there is a bug in WebLogic related to adding Filter instances. From the above JIRA:
Oracle acknowledged it as a bug: 17382048, fixed with patch 16769849. It is reported as being fixed in WLS 12.1.3
The client should update their WebLogic server to get a fix. Alternatively, you can create your own version of AbstractSecurityWebApplicationInitializer that registers springSecurityFilterChain with the class method:
servletContext.addFilter(String filterName, java.lang.Class<? extends Filter> filterClass)
Your subclass of AbstractSecurityWebApplicationInitializer would then extend your custom class instead.
Update
Based on the updated information, I still contend the issue is related to the WebLogic bug mentioned above. When using SpringBootServletInitializer, the Filters are added with FilterRegistrationBean as an instance rather than a class.
The easiest option is to update to WebLogic since everything should work as is.
To workaround the issue, you can disable the registration of Spring Security and any other Filters. You can do this by creating a FilterRegistrationBean like the following:
@Bean
public FilterRegistrationBean springSecurityFilterChainRegistrationBean(@Qualifier("springSecurityFilterChain") Filter filter) {
FilterRegistrationBean bean = new FilterRegistrationBean();
bean.setFilter(filter);
bean.setEnabled(false);
return bean;
}
Then you need to ensure the Filter is registered using
servletContext.addFilter(String filterName, java.lang.Class<? extends Filter> filterClass)
Spring Security can be registered with the above mechanism by implementing WebApplicationInitializer. For example, you can create the following class:
package demo;
import java.util.EnumSet;
import javax.servlet.FilterRegistration.Dynamic;
import javax.servlet.*;
import org.springframework.web.WebApplicationInitializer;
import org.springframework.web.filter.DelegatingFilterProxy;
public class SecurityInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext context) throws ServletException {
Dynamic registration =
context.addFilter("springSecurityFilterChain", DelegatingFilterProxy.class);
EnumSet<DispatcherType> dispatcherTypes =
EnumSet.of(DispatcherType.REQUEST, DispatcherType.ERROR, DispatcherType.ASYNC);
registration.addMappingForUrlPatterns(dispatcherTypes, true, "/*");
}
}
DelegatingFilterProxy will look up a bean of the name "springSecurityFilterChain" and delegate to it every time doFilter is invoked.
92
I think you need to add the securityContextPersistenceFilter in the filter chain
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter" />
I found the following comment in the SecurityContextPersistenceFilter class :
* This filter will only execute once per request, to resolve servlet container (specifically Weblogic)
* incompatibilities.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
