0

I have Spring Boot application, everything works fine until I implement spring security in front of my application. This is a RESTful api that has a token based authentication. What's even more weird it works (!) intermittently - by intermittently I mean restarting the application will return the right responses such as 401/403 if unauthenticated and other codes if user is authorized to access them. This is being deployed into WebLogic.

2017-01-05 14:12:51.164  WARN 11252 --- [ (self-tuning)'] o.s.web.servlet.PageNotFound             : No mapping found for HTTP request with URI [/user] in DispatcherServlet with name 'dispatcherServlet'

WebApplication.java

@SpringBootApplication(exclude = { SecurityAutoConfiguration.class })
public class WebApplication extends SpringBootServletInitializer implements WebApplicationInitializer {

    public static void main(String[] args) {
        Object[] sources = new Object[2];
        sources[0] = WebConfiguration.class;
        sources[1] = WebSecurityConfiguration.class;
        SpringApplication.run(sources, args);
    }

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) {
        return builder.sources(WebApplication.class);
    }

}

WebConfiguration.java

@Configuration
@ComponentScan(basePackages = { "com.controller", "com.service", "com.dao"})
@EnableAutoConfiguration(exclude = {
        DataSourceAutoConfiguration.class })
public class WebConfiguration extends WebMvcConfigurerAdapter {

private static final Logger logger = LoggerFactory.getLogger(WebConfiguration.class);

/**
 * Setup a simple strategy: use all the defaults and return XML by default
 * when not sure.
 */
@Override
public void configureContentNegotiation(ContentNegotiationConfigurer configurer) {
    configurer.defaultContentType(MediaType.APPLICATION_JSON).mediaType("json", MediaType.APPLICATION_JSON)
            .mediaType("xml", MediaType.APPLICATION_XML);
}

@Bean(name = "entityManagerFactory")
public EntityManagerFactory getQmsEntityManagerFactory() {
    LocalContainerEntityManagerFactoryBean em = new LocalContainerEntityManagerFactoryBean();
    em.setPersistenceUnitName(Config.PERSISTENCE_UNIT_NAME);
    em.setPersistenceXmlLocation("META-INF/persistence.xml");
    em.setDataSource(getDataSource());
    em.setJpaVendorAdapter(getJpaHibernateVendorAdapter());
    em.afterPropertiesSet();
    return em.getObject();
}

@Bean
public HibernateJpaVendorAdapter getJpaHibernateVendorAdapter() {
    HibernateJpaVendorAdapter adapter = new HibernateJpaVendorAdapter();
    adapter.setShowSql(true);
    // adapter.setDatabase("ORACLE");
    adapter.setDatabasePlatform("org.hibernate.dialect.Oracle10gDialect");
    return adapter;
}

@Bean(name="dataSource", destroyMethod = "")
//http://stackoverflow.com/questions/19158837/weblogic-datasource-disappears-from-jndi-tree
@Qualifier("dataSource")
@Profile("weblogic")
public DataSource dataSource() {
    DataSource dataSource = null;
    JndiTemplate jndi = new JndiTemplate();
    try {
        dataSource = (DataSource) jndi.lookup("jdbc/datasource");
    } catch (NamingException e) {
        logger.error("NamingException for jdbc/datasource", e);
    }
    return dataSource;
}

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurerAdapter() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            registry.addMapping("/**").allowedOrigins("*").allowedMethods("*");
        }
    };
}

}

WebSecurityConfiguration.java

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@ComponentScan({ 
    "com.subject", 
    "com.custom" 
    })
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private StatelessAuthenticationFilter statelessAuthenticationFilter;

@Autowired
private RestAuthenticationEntryPoint unauthorizedHandler;

@Autowired
private CusAuthenticationProvider cusAuthenticationProvider;


 @Override
 protected void configure(AuthenticationManagerBuilder auth) {
     auth.authenticationProvider(cusAuthenticationProvider);
 }

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .securityContext()
    .and()
        .sessionManagement()
        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)             
    .and()
        .authorizeRequests().anyRequest().authenticated()
    .and()
        .addFilterBefore(statelessAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
    .exceptionHandling().authenticationEntryPoint(unauthorizedHandler);     
}

}

StatelessAuthenticationFilter.java

@Component
public class StatelessAuthenticationFilter extends OncePerRequestFilter   {



@Inject
private SubjectLookupService subjectLookupService;

@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws IOException, ServletException {

    SecurityContextHolder.getContext().setAuthentication(authenticateUser(request));

    filterChain.doFilter(request, response);
}

private Authentication authenticateUser(HttpServletRequest request) {
    try {
        String application = StringUtils.defaultString(request.getParameter("application"));

        UserInfo me = subjectLookupService.getUserInfo();

        List<GrantedAuthority> roles = me.getRoles().stream()                   
                .map(role -> new SimpleGrantedAuthority("ROLE_" + role.getName())).collect(Collectors.toList());

        UserDetails user = new User(me.getUsername(), "", roles);

        Authentication authentication = new UserAuthentication(user);

        return authentication;
    } catch (Exception e) {
        e.printStackTrace();
        return null;
    }
}

}

Controller.java

@RestController
public class Controller {

@Autowired
private QService qService;

@PreAuthorize("hasAnyRole('view', 'admin')")
@RequestMapping(value = "/q/{year}", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
public ResponseEntity<?> listQuotas(@PathVariable Integer year) {

    return new ResponseEntity<>(qService.listQs(year), HttpStatus.OK);
}

@RequestMapping(value = "/user", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
public ResponseEntity<?> user(HttpServletRequest request) {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    return new ResponseEntity<>( auth.getPrincipal(), HttpStatus.OK);
}

@PreAuthorize("hasRole('shouldntauthorize')")
@RequestMapping(value = "/unauthorized/{year}", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
public ResponseEntity<?> unauthorized(@PathVariable Integer year) {

    return new ResponseEntity<>(qService.listQs(year), HttpStatus.OK);
}

}

When it works - I am able to hit any of the above methods using HTTP gets and I am getting correct responses. When it's not working, I am constantly getting:

2017-01-05 14:18:47.506  WARN 11252 --- [ (self-tuning)'] o.s.web.servlet.PageNotFound             : No mapping found for HTTP request with URI [/user] in DispatcherServlet with name 'dispatcherServlet'

I can verify in the logs that when Spring Boot initializes the application is also sets the correct mapping URL.

Any ideas what could be the problem here?

karruma
  • 768
  • 1
  • 12
  • 32

1 Answers1

0

when you say "intermittently" I tend to think that the problem is with Spring startup configuration.

So, I'd be weary on the fact that you have @ComponentScan twice, and with different packages.

Could you try removing

@ComponentScan(basePackages = { "com.controller", "com.service", "com.dao"})

from class WebConfiguration.java and

@ComponentScan({ "com.subject", "com.custom" })

from class WebSecurityConfiguration.java, and replace them with a single

@ComponentScan(basePackages = { "com.controller", "com.service", "com.dao", "com.subject", "com.custom"})

in the main SpringBoot class?

alexramos
  • 61
  • 7