search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.71k stars 5.85k forks source link

Spring Webflex - reactor core exception - accessing endpoint with http: basic auth #15348

Open dreamstar-enterprises opened 2 months ago

dreamstar-enterprises commented 2 months ago

I'm sure this shouldn't happen, but when I try to access an endpoint requiring basic http authentication, from postman, but in postman set authetication to none, instead of getting not authenticated / not authorized back, Spring Boot throws an exception and crashes,

2024-07-02T21:54:33.799+01:00 WARN 79450 --- [ parallel-1] reactor.core.Exceptions : throwIfFatal detected a jvm fatal exception, which is thrown and logged below:

java.lang.StackOverflowError: null
    at reactor.core.publisher.InnerOperator.currentContext(InnerOperator.java:33) ~[reactor-core-3.5.11.jar:3.5.11]
    at reactor.core.publisher.MonoFlatMap$FlatMapInner.currentContext(MonoFlatMap.java:270) ~[reactor-core-3.5.11.jar:3.5.11]
    at reactor.core.publisher.InnerOperator.currentContext(InnerOperator.java:33) ~[reactor-core-3.5.11.jar:3.5.11]
    at reactor.core.publisher.InnerOperator.currentContext(InnerOperator.java:33) ~[reactor-core-3.5.11.jar:3.5.11]
    at reactor.core.publisher.InnerOperator.currentContext(InnerOperator.java:33) ~[reactor-core-3.5.11.jar:3.5.11]
    at reactor.core.publisher.InnerOperator.currentContext(InnerOperator.java:33) ~[reactor-core-3.5.11.jar:3.5.11]
    at reactor.core.publisher.InnerOperator.currentContext(InnerOperator.java:33) ~[reactor-core-3.5.11.jar:3.5.11

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior.

Expected behavior A clear and concise description of what you expected to happen.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

jzheaux commented 1 month ago

Thanks, @dreamstar-enterprises, will you please share a minimal reproducer to help get to the bottom of the issue faster?

dreamstar-enterprises commented 1 month ago

I have a 6 week code base to try and do this (I only have half a auth server working, and the resource server sort of works)

I've since been able to get past the above problem I can't though get the auth server url redirection to work without using HttpSessionSecurityContextRepository

It did not work on Null or RequestAttribute version - as on the re-direct, it just couldn't find the authenticated principal.

I don't know if it is best practice, but I ended up setting the session time to 5 seconds.

I do wish there was just ONE comprehensive guide that explained how to connect (even if it was not a 20min read, but a 90 min read...):

  1. Angular (User Agent)
  2. Spring Client Auth (BFF)
  3. Spring Auth Server (Stateless if possible, using Opaque Tokens)
  4. Spring Resource Server (Rest Statless, but with a caching strategy of the Authentication Objects, so the introspection endpoint isn't queried on every request)

And how to host the Spring Servers, where and how to use Spring Gateway or Spring Session / Redis

I've spent 6 weeks on this, but really do feel I haven't go very far : (

Thanks for the help so far though. Do you do consultancy work? I have a small budget.