java - Why is Spring Security working in Tomcat but not when deployed to Weblogic? -
i'm not java developer, project client has required me be, maybe i'm missing glaringly obvious.
i'm using springboot , works fine when application runs in tomcat on local machine , on our testing server. however, application deployed weblogic it's if there no security @ all routes accessible. login , logout routes non-existent well.
that being said. else appears work fine, without security @ all.
i don't have access weblogic client 1 deploying code have told it's running on 12c. can fix or troubleshoot this?
here's relevant config application.java:
/** * type authentication security. */ @order(ordered.highest_precedence) @configuration protected static class authenticationsecurity extends globalauthenticationconfigureradapter { /** * users. */ @autowired private users users; /** * init void. * * @param auth auth * @throws exception exception */ @override public void init(authenticationmanagerbuilder auth) throws exception { auth.userdetailsservice(users).passwordencoder(new bcryptpasswordencoder()); } } /** * type application security. */ @order(securityproperties.access_override_order) protected static class applicationsecurity extends websecurityconfigureradapter { /** * configure void. * * @param http http * @throws exception exception */ @override protected void configure(httpsecurity http) throws exception { // @formatter:off http.authorizerequests() .antmatchers("/vendor/*","/public/**/*","/partners/*","/events/*", "/login").permitall() .anyrequest().fullyauthenticated().and().formlogin().loginpage("/login") .and().logout() .logoutrequestmatcher(new antpathrequestmatcher("/logout")).and() .exceptionhandling().accessdeniedpage("/access?error"); // @formatter:on } }
thanks in advance.
it sounds though running sec-2465. in short, there bug in weblogic related adding filter instances. above jira:
oracle acknowledged bug: 17382048, fixed patch 16769849. reported being fixed in wls 12.1.3
the client should update weblogic server fix. alternatively, can create own version of abstractsecuritywebapplicationinitializer registers springsecurityfilterchain class method:
servletcontext.addfilter(string filtername, java.lang.class<? extends filter> filterclass)
your subclass of abstractsecuritywebapplicationinitializer extend custom class instead.
update
based on updated information, still contend issue related weblogic bug mentioned above. when using springbootservletinitializer, filters added filterregistrationbean instance rather class.
the easiest option update weblogic since should work is.
to workaround issue, can disable registration of spring security , other filters. can creating filterregistrationbean following:
@bean public filterregistrationbean springsecurityfilterchainregistrationbean(@qualifier("springsecurityfilterchain") filter filter) { filterregistrationbean bean = new filterregistrationbean(); bean.setfilter(filter); bean.setenabled(false); return bean; }
then need ensure filter registered using
servletcontext.addfilter(string filtername, java.lang.class<? extends filter> filterclass)
spring security can registered above mechanism implementing webapplicationinitializer
. example, can create following class:
package demo; import java.util.enumset; import javax.servlet.filterregistration.dynamic; import javax.servlet.*; import org.springframework.web.webapplicationinitializer; import org.springframework.web.filter.delegatingfilterproxy; public class securityinitializer implements webapplicationinitializer { @override public void onstartup(servletcontext context) throws servletexception { dynamic registration = context.addfilter("springsecurityfilterchain", delegatingfilterproxy.class); enumset<dispatchertype> dispatchertypes = enumset.of(dispatchertype.request, dispatchertype.error, dispatchertype.async); registration.addmappingforurlpatterns(dispatchertypes, true, "/*"); } }
delegatingfilterproxy
bean of name "springsecurityfilterchain" , delegate every time dofilter invoked.
Comments
Post a Comment