search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

java.lang.NoSuchMethodError: com.nimbusds.joser.toJSONObject() Lnet/minidev/json/JSONObject #429

Closed dnconan closed 3 years ago

dnconan commented 3 years ago

I have a basic SpringBoot 2.4.0 app. Using Spring Initializer, upload app to SAP Cloud Platform to run with HANA, and package as an executable JAR file with some RestControllers.

Without security configurations, everything is fine. But after add

In 1 of the controller this is the body I send any request (with correct user access), it fails with below error:

2020-12-11T16:00:14.13+0800 [RTR/2] OUT bulletinboard-ads-daisuke.cfapps.us10.hana.ondemand.com - [2020-12-11T08:00:14.009320131Z] "GET /api/v1/ads/ HTTP/1.1" 401 0 0 "https://accounts.sap.com/saml2/idp/sso?sp=uaa-cf-us10&RelayState=client_id%3D8c960bdf-f522-45b
6-80e1-b6e0c3fc4785%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252F455b34d0trial.authentication.us10.hana.ondemand.com%252Flogin%252Fcallback%252Fsap.default%26state%3D35Wek0osnN%26scope%3Dopenid%26nonce%3D9vzNmL8vhDx4" "Mozilla/5.0 (Windows NT 10.0; W
OW64; Trident/7.0; Touch; rv:11.0) like Gecko" "-" "10.32.2.5:61009" x_forwarded_for:"-" x_forwarded_proto:"https" vcap_request_id:"a60e7b1e-c7ff-484b-4946-02bfd09128ec" response_time:0.130418 gorouter_time:0.000130 app_id:"9e8092ef-4e8c-47b9-828e-9c034cc8c9cb" app
_index:"0" x_cf_routererror:"-" x_correlationid:"b7db88b3-2dc0-485c-4b20-e074aee0fdb3" tenantid:"-" sap_passport:"-" x_scp_request_id:"ad230392-f892-4994-bcbc-df548c0099c0-5FD3270D-54A9080" x_cf_app_instance:"-" x_b3_traceid:"6e63237599f82a65" x_b3_spanid:"6e632375
99f82a65" x_b3_parentspanid:"-" b3:"6e63237599f82a65-6e63237599f82a65"
   2020-12-11T16:00:14.13+0800 [RTR/2] OUT
   2020-12-11T16:00:19.91+0800 [APP/PROC/WEB/0] OUT 2020-12-11 08:00:19.909 ERROR 26 --- [nio-8080-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Filter execution threw a
n exception] with root cause
   2020-12-11T16:00:19.91+0800 [APP/PROC/WEB/0] OUT java.lang.NoSuchMethodError: com.nimbusds.jose.Header.toJSONObject()Lnet/minidev/json/JSONObject;
   2020-12-11T16:00:19.91+0800 [APP/PROC/WEB/0] OUT     at com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder$1.getJku(XsuaaJwtDecoder.java:54) ~[spring-xsuaa-2.8.0.jar:na]
   2020-12-11T16:00:19.91+0800 [APP/PROC/WEB/0] OUT     at com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.verifyToken(XsuaaJwtDecoder.java:95) ~[spring-xsuaa-2.8.0.jar:na]
   2020-12-11T16:00:19.91+0800 [APP/PROC/WEB/0] OUT     at com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.decode(XsuaaJwtDecoder.java:80) ~[spring-xsuaa-2.8.0.jar:na]
   2020-12-11T16:00:19.91+0800 [APP/PROC/WEB/0] OUT     at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:84) ~[spring-security-oauth2-resource-server-5.3.4.RELEASE.jar:5.3.4.
RELEASE]

The Maven dependency tree is

[INFO] com.sap:bulletinboard:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.4.0:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-aop:jar:2.4.0:compile
[INFO] |  |  \- org.aspectj:aspectjweaver:jar:1.9.6:compile
[INFO] |  +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
[INFO] |  +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile
[INFO] |  +- org.hibernate:hibernate-core:jar:5.4.23.Final:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.10.18:compile
[INFO] |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  +- org.jboss:jandex:jar:2.1.3.Final:compile
[INFO] |  |  +- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] |  |  +- org.dom4j:dom4j:jar:2.1.3:compile
[INFO] |  |  \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.3:compile
[INFO] |  |     +- org.glassfish.jaxb:txw2:jar:2.3.3:compile
[INFO] |  |     +- com.sun.istack:istack-commons-runtime:jar:3.0.11:compile
[INFO] |  |     \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime
[INFO] |  +- org.springframework.data:spring-data-jpa:jar:2.4.1:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:2.4.1:compile
[INFO] |  |  +- org.springframework:spring-orm:jar:5.3.1:compile
[INFO] |  |  +- org.springframework:spring-tx:jar:5.3.1:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.3.1:compile
[INFO] |  \- org.springframework:spring-aspects:jar:5.3.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.4.0:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.4.0:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.4.0:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.27:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.3.1:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:5.4.1:compile
[INFO] |  \- org.springframework.security:spring-security-web:jar:5.4.1:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.4.0:compile
[INFO] |  +- com.zaxxer:HikariCP:jar:3.4.5:compile
[INFO] |  \- org.springframework:spring-jdbc:jar:5.3.1:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter:jar:3.0.0-M5:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-context:jar:3.0.0-M5:compile
[INFO] |  |  \- org.springframework.security:spring-security-crypto:jar:5.4.1:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-commons:jar:3.0.0-M5:compile
[INFO] |  \- org.springframework.security:spring-security-rsa:jar:1.0.9.RELEASE:compile
[INFO] |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.64:compile
[INFO] |        \- org.bouncycastle:bcprov-jdk15on:jar:1.64:compile
[INFO] +- com.sap.cloud.security.xsuaa:xsuaa-spring-boot-starter:jar:2.8.0:compile
[INFO] |  \- com.sap.cloud.security.xsuaa:spring-xsuaa:jar:2.8.0:compile
[INFO] |     +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
[INFO] |     |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
[INFO] |     +- com.sap.cloud.security.xsuaa:api:jar:2.8.0:compile
[INFO] |     +- com.sap.cloud.security.xsuaa:token-client:jar:2.8.0:compile
[INFO] |     |  +- com.sap.cloud.security:java-api:jar:2.8.0:compile
[INFO] |     |  |  \- javax.servlet:javax.servlet-api:jar:4.0.1:compile
[INFO] |     |  \- org.json:json:jar:20200518:compile
[INFO] |     +- com.github.ben-manes.caffeine:caffeine:jar:2.8.6:compile
[INFO] |     |  \- com.google.errorprone:error_prone_annotations:jar:2.4.0:compile
[INFO] |     \- commons-io:commons-io:jar:2.6:compile
[INFO] +- org.springframework.security:spring-security-oauth2-resource-server:jar:5.3.4.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:5.4.1:compile
[INFO] |  +- org.springframework.security:spring-security-oauth2-core:jar:5.4.1:compile
[INFO] |  \- org.springframework:spring-core:jar:5.3.1:compile
[INFO] |     \- org.springframework:spring-jcl:jar:5.3.1:compile
[INFO] +- org.springframework.security:spring-security-oauth2-jose:jar:5.3.4.RELEASE:compile
[INFO] |  \- com.nimbusds:nimbus-jose-jwt:jar:9.1.2:compile
[INFO] |     \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] +- org.springframework.cloud:spring-cloud-localconfig-connector:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.11:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-core:jar:1.2.0.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-cloudfoundry-connector:jar:2.0.7.RELEASE:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-connectors-core:jar:2.0.7.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-spring-service-connector:jar:2.0.7.RELEASE:compile
[INFO] |  \- org.springframework:spring-context:jar:5.3.1:compile
[INFO] +- com.sap.cloud.db.jdbc:ngdbc:jar:2.5.49:compile
[INFO] +- com.sap.hana.cloud:spring-cloud-cloudfoundry-hana-service-connector:jar:1.0.4.RELEASE:compile
[INFO] |  \- com.sap.hana.cloud:spring-cloud-sap-core:jar:1.0.4.RELEASE:compile
[INFO] +- com.sap.hana.cloud:spring-cloud-sap-connector:jar:1.0.4.RELEASE:compile
[INFO] +- org.apache.commons:commons-dbcp2:jar:2.1.1:runtime
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.9.0:runtime
[INFO] +- org.eclipse.persistence:org.eclipse.persistence.jpa:jar:2.6.2:compile
[INFO] |  +- org.eclipse.persistence:javax.persistence:jar:2.1.1:compile
[INFO] |  +- org.eclipse.persistence:org.eclipse.persistence.asm:jar:2.6.2:compile
[INFO] |  +- org.eclipse.persistence:org.eclipse.persistence.antlr:jar:2.6.2:compile
[INFO] |  +- org.glassfish:javax.json:jar:1.0.4:compile
[INFO] |  +- org.eclipse.persistence:org.eclipse.persistence.jpa.jpql:jar:2.6.2:compile
[INFO] |  \- org.eclipse.persistence:org.eclipse.persistence.core:jar:2.6.2:compile
[INFO] +- javax.inject:javax.inject:jar:1:compile
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.2:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:compile
[INFO] +- com.jayway.jsonpath:json-path:jar:2.2.0:compile
[INFO] |  +- net.minidev:json-smart:jar:2.3:compile
[INFO] |  |  \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] |  |     \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- com.github.fge:json-schema-validator:jar:2.2.6:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.0:compile
[INFO] |  +- joda-time:joda-time:jar:2.3:compile
[INFO] |  +- com.googlecode.libphonenumber:libphonenumber:jar:6.2:compile
[INFO] |  +- com.github.fge:json-schema-core:jar:1.2.5:compile
[INFO] |  |  +- com.github.fge:uri-template:jar:0.9:compile
[INFO] |  |  |  +- com.github.fge:msg-simple:jar:1.1:compile
[INFO] |  |  |  |  \- com.github.fge:btf:jar:1.2:compile
[INFO] |  |  |  \- com.google.guava:guava:jar:16.0.1:compile
[INFO] |  |  +- com.github.fge:jackson-coreutils:jar:1.8:compile
[INFO] |  |  \- org.mozilla:rhino:jar:1.7R4:compile
[INFO] |  +- javax.mail:mailapi:jar:1.4.3:compile
[INFO] |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |  \- net.sf.jopt-simple:jopt-simple:jar:4.6:compile
[INFO] +- org.hibernate:hibernate-entitymanager:jar:5.2.3.Final:compile
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] |  +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  +- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile
[INFO] |  +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] |  +- org.javassist:javassist:jar:3.20.0-GA:compile
[INFO] |  \- org.apache.geronimo.specs:geronimo-jta_1.1_spec:jar:1.1.1:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.62:compile
[INFO] +- org.hibernate.validator:hibernate-validator-cdi:jar:6.1.0.Final:compile
[INFO] |  \- org.hibernate.validator:hibernate-validator:jar:6.1.6.Final:compile
[INFO] |     \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] +- org.springframework.boot:spring-boot-devtools:jar:2.4.0:runtime (optional)
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.4.0:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.4.0:compile
[INFO] +- org.postgresql:postgresql:jar:42.2.18:runtime
[INFO] |  \- org.checkerframework:checker-qual:jar:3.5.0:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.4.0:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.4.0:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.4.0:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  +- org.assertj:assertj-core:jar:3.18.1:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.7.0:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.7.0:test
[INFO] |  |  |  +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  \- org.junit.platform:junit-platform-commons:jar:1.7.0:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.7.0:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.7.0:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.7.0:test
[INFO] |  +- org.mockito:mockito-core:jar:3.6.0:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.10.18:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.1:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:3.6.0:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-test:jar:5.3.1:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.7.0:test
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.4.0:compile
[INFO]    +- org.springframework.boot:spring-boot-starter-json:jar:2.4.0:compile
[INFO]    |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.3:compile
[INFO]    |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.3:compile
[INFO]    |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.3:compile
[INFO]    +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.4.0:compile
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.39:compile
[INFO]    |  +- org.glassfish:jakarta.el:jar:3.0.3:compile
[INFO]    |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.39:compile
[INFO]    +- org.springframework:spring-web:jar:5.3.1:compile
[INFO]    \- org.springframework:spring-webmvc:jar:5.3.1:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------

Web secure configuration class is

import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.XsuaaServiceConfigurationDefault;
import com.sap.cloud.security.xsuaa.token.TokenAuthenticationConverter;
import com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoderBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;

@Configuration
@EnableWebSecurity

public class WebSecurityConfig  extends WebSecurityConfigurerAdapter {

    @Autowired
    XsuaaServiceConfiguration xsuaaServiceConfiguration;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/api/v1/ads/**").hasAuthority("Display") // checks whether it has scope "<xsappId>.Read"
                .antMatchers("/api/v1/ads/**").authenticated()
                .anyRequest().denyAll()
                .and()
                .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(getJwtAuthenticationConverter());
        // @formatter:on
    }

    @Bean
    JwtDecoder jwtDecoder() {
        return new XsuaaJwtDecoderBuilder(xsuaaServiceConfiguration).build();
    }

    @Bean
    @ConditionalOnMissingBean(XsuaaServiceConfiguration.class)
    public XsuaaServiceConfiguration xsuaaServiceConfiguration() {
        return new XsuaaServiceConfigurationDefault();
    }

        /**
     * Customizes how GrantedAuthority are derived from a Jwt
     */
    Converter<Jwt, AbstractAuthenticationToken> getJwtAuthenticationConverter() {
        TokenAuthenticationConverter converter = new TokenAuthenticationConverter(xsuaaServiceConfiguration);
        converter.setLocalScopeAsAuthorities(true);
        return converter;
    }

}

I will have HTTP500 error instead of 401 and 403, I tried every possible thing but still not working, including Oauth 2.0 Integration Sample: java.lang.NoSuchMethodError: com.nimbusds.jose.Header.toJSONObject() · Issue #122 · spring-projects-experimental/spring-authorization-server · GitHub

Any expert could provide any resolution to this error? Much appreciation in advance!!

liga-oz commented 3 years ago

Hi @dnconan,

thanks for the detailed error description. The error you're seeing is due to com.nimbusds:nimbus-jose-jwt:jar:9.1.2 library that is incompatible with xsuaa-spring-boot-starter 2.8.0 I can see from dependency tree that even with spring-oauth2-jose 5.3.4 RELEASE that uses 8.19 nimbus-jose-jwt version. In your case version is overwritten to 9.1.2 [INFO] +- org.springframework.security:spring-security-oauth2-jose:jar:5.3.4.RELEASE:compile [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.1.2:compile

In this case I would suggest to explicitly define the nimbus-jose-jwt version to the last compatible version: 8.20.1 in your pom file. <dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>8.20.1</version> </dependency>

References #414

Best Regards, Liga

dnconan commented 3 years ago

Hi @liga-oz,

Thank you for your quick help, it really hits the point!

After I explicitly define the nimbus-jose-jwt version to the last compatible version: 8.20 in my pom file, it works !

However, a little confusion that xsuaa-spring-boot-starter 2.8.0 not compatible with latest nimbus jar but the older one. Is there something wrong on backward compatible or development lifecycle...

Anyway, much appreciate for helping on this issue!

Best regards, Dnconan

happyliuxq commented 1 year ago

If you want to continue using version 9.0+,need to upgrade spring-security-oauth2-jose

image image