Spring-boot: non-sensitive actuator endpoints require full authentication when @EnableResourceServer is used (oauth2)

Created on 2 Feb 2016  路  17Comments  路  Source: spring-projects/spring-boot

According to the docs for 1.3 for health access restrictions, a non-sensitive health endpoint should allow anonymous access. However, this stops working if the @EnableResourceServer annotation is found. When the OAuth2 resource server is enabled, even non-sensitive endpoints require full authentication.

enhancement
Source
picture quintonm
👍5

Most helpful comment

I have updated the release notes: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#oauth-2-resource-filter

picture wilkinsona on 12 Jan 2017
👍2

All 17 comments

@dsyer does the OAuth auto-config mess with security at all?

philwebb picture philwebb on 3 Feb 2016

If you @EnableResourceServer and don't provide an order for the filter I guess it's going to be before the actuator one. We could change the default order?

dsyer picture dsyer on 3 Feb 2016

I am not sure if this will be helpful or not, but here are the log statements for initialization and a request to the health endpoint. The only non-default configuration I have that affects the actuators is management.contextPath=/manage.

2016-02-03 14:13:22.926 DEBUG 18679 --- [  restartedMain] com.iscs.api.authentication.Application  : Running with Spring Boot v1.3.2.RELEASE, Spring v4.2.4.RELEASE
2016-02-03 14:13:25.474  INFO 18679 --- [  restartedMain] org.apache.catalina.core.StandardEngine  : Starting Servlet Engine: Apache Tomcat/8.0.30
2016-02-03 14:13:25.567  INFO 18679 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2016-02-03 14:13:26.107  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'metricFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'characterEncodingFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'httpPutFormContentFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'requestContextFilter' to: [/*]
2016-02-03 14:13:26.111  INFO 18679 --- [ost-startStop-1] .e.DelegatingFilterProxyRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2016-02-03 14:13:26.111  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'webRequestLoggingFilter' to: [/*]
2016-02-03 14:13:26.112  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'applicationContextIdFilter' to: [/*]
2016-02-03 14:13:26.112  INFO 18679 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean        : Mapping servlet: 'dispatcherServlet' to [/]
2016-02-03 14:13:26.458 DEBUG 18679 --- [ost-startStop-1] eGlobalAuthenticationAutowiredConfigurer : Eagerly initializing {org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration=org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration$$EnhancerBySpringCGLIB$$87675bbc@3858f6fe}
2016-02-03 14:13:26.876 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Looking for request mappings in application context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@40ea3071: startup date [Wed Feb 03 14:13:22 CST 2016]; root of context hierarchy
2016-02-03 14:13:26.896 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 2 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint: {public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map,java.util.Map,org.springframework.web.bind.support.SessionStatus,java.security.Principal)={[/oauth/authorize]}, public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map,java.util.Map,org.springframework.web.bind.support.SessionStatus,java.security.Principal)={[/oauth/authorize],methods=[POST],params=[user_oauth_approval]}}
2016-02-03 14:13:26.897  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/authorize]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
2016-02-03 14:13:26.898  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/authorize],methods=[POST],params=[user_oauth_approval]}" onto public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
2016-02-03 14:13:26.901 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 2 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.TokenEndpoint: {public org.springframework.http.ResponseEntity org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map) throws org.springframework.web.HttpRequestMethodNotSupportedException={[/oauth/token],methods=[GET]}, public org.springframework.http.ResponseEntity org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(java.security.Principal,java.util.Map) throws org.springframework.web.HttpRequestMethodNotSupportedException={[/oauth/token],methods=[POST]}}
2016-02-03 14:13:26.901  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/token],methods=[GET]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException
2016-02-03 14:13:26.901  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/token],methods=[POST]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException
2016-02-03 14:13:26.903 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint: {public java.util.Map org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint.checkToken(java.lang.String)={[/oauth/check_token]}}
2016-02-03 14:13:26.903  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/check_token]}" onto public java.util.Map<java.lang.String, ?> org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint.checkToken(java.lang.String)
2016-02-03 14:13:26.904 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint: {public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map,javax.servlet.http.HttpServletRequest) throws java.lang.Exception={[/oauth/confirm_access]}}
2016-02-03 14:13:26.904  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/confirm_access]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map<java.lang.String, java.lang.Object>,javax.servlet.http.HttpServletRequest) throws java.lang.Exception
2016-02-03 14:13:26.904 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint: {public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint.handleError(javax.servlet.http.HttpServletRequest)={[/oauth/error]}}
2016-02-03 14:13:26.905  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/error]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint.handleError(javax.servlet.http.HttpServletRequest)
2016-02-03 14:13:26.907 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint: {public java.util.Map org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint.getKey(java.security.Principal)={[/oauth/token_key],methods=[GET]}}
2016-02-03 14:13:26.907  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/token_key],methods=[GET]}" onto public java.util.Map<java.lang.String, java.lang.String> org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint.getKey(java.security.Principal)
2016-02-03 14:13:26.946  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
2016-02-03 14:13:27.001 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'fullyAuthenticated', for Ant [pattern='/oauth/token']
2016-02-03 14:13:27.002 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/token_key']
2016-02-03 14:13:27.002 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'isAuthenticated()', for Ant [pattern='/oauth/check_token']
2016-02-03 14:13:27.009 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.010 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.019  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1c0fffcd, org.springframework.security.web.context.SecurityContextPersistenceFilter@5db122b0, org.springframework.security.web.header.HeaderWriterFilter@43e1bd3c, org.springframework.security.web.authentication.logout.LogoutFilter@1a5656c3, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@182b15bc, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@20a9eabb, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3ddbb523, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@622392, org.springframework.security.web.session.SessionManagementFilter@670b4970, org.springframework.security.web.access.ExceptionTranslationFilter@5ff345ea, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4b8ddeee]
2016-02-03 14:13:27.032 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-02-03 14:13:27.033 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.033 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.033  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4b33477f]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4f7fadf6, org.springframework.security.web.context.SecurityContextPersistenceFilter@2429fe51, org.springframework.security.web.header.HeaderWriterFilter@2fc2fc4a, org.springframework.security.web.authentication.logout.LogoutFilter@5f93ff29, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@721eb8d, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7b9a6c68, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4302fffd, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3e0d2133, org.springframework.security.web.session.SessionManagementFilter@18608db1, org.springframework.security.web.access.ExceptionTranslationFilter@93adad6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4346b119]
2016-02-03 14:13:27.037 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration$LazyEndpointPathRequestMatcher@4765d070
2016-02-03 14:13:27.038 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasRole('ROLE_ADMIN')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-02-03 14:13:27.039 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.040 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.040  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/manage/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@282abc01, org.springframework.security.web.context.SecurityContextPersistenceFilter@37de1b2b, org.springframework.security.web.header.HeaderWriterFilter@3a365b84, org.springframework.security.web.authentication.logout.LogoutFilter@a5840c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@1eba4275, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2244a646, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2a2623f1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1050ce2c, org.springframework.security.web.session.SessionManagementFilter@2af01b32, org.springframework.security.web.access.ExceptionTranslationFilter@602ea422, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@60395d60]
2016-02-03 14:13:27.042 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ADMIN')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-02-03 14:13:27.042 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.042 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.042  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@71ab9b21, org.springframework.security.web.context.SecurityContextPersistenceFilter@1ec3914f, org.springframework.security.web.header.HeaderWriterFilter@23f77658, org.springframework.security.web.authentication.logout.LogoutFilter@79639d17, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7b28329d, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@209d6b99, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@38c08c64, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@17c02eac, org.springframework.security.web.session.SessionManagementFilter@51821c0f, org.springframework.security.web.access.ExceptionTranslationFilter@7be8a117, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@53d592d6]
2016-02-03 14:13:49.829  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/env/{name:.*}],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EnvironmentMvcEndpoint.value(java.lang.String)
2016-02-03 14:13:49.829  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/env || /manage/env.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.830  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/beans || /manage/beans.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.830  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/dump || /manage/dump.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.831  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/buildscriptDependencies || /manage/buildscriptDependencies.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.831  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/trace || /manage/trace.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.832  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage || /manage.json],produces=[application/json]}" onto public org.springframework.hateoas.ResourceSupport org.springframework.boot.actuate.endpoint.mvc.HalJsonMvcEndpoint.links()
2016-02-03 14:13:49.833  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/configuration || /manage/configuration.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.833  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/info || /manage/info.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.834  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/runtimeDependencies || /manage/runtimeDependencies.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.834  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/mappings || /manage/mappings.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.834  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/autoconfig || /manage/autoconfig.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.835  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/metrics/{name:.*}],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.MetricsMvcEndpoint.value(java.lang.String)
2016-02-03 14:13:49.835  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/metrics || /manage/metrics.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.836  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/configprops || /manage/configprops.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.836  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/health || /manage/health.json],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(java.security.Principal)
2016-02-03 14:13:56.770  INFO 18679 --- [  restartedMain] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 8080 (http)
2016-02-03 14:13:56.778  INFO 18679 --- [  restartedMain] com.iscs.api.authentication.Application  : Started Application in 35.763 seconds (JVM running for 36.508)


2016-02-03 14:18:24.149  INFO 18679 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/css/**'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/js/**'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/images/**'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/**/favicon.ico'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/error'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token_key']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token_key'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/check_token']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/check_token'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4b33477f
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : matched
2016-02-03 14:18:24.227  INFO 18679 --- [nio-8080-exec-1] Spring Security Debugger                 : 

************************************************************

Request received for GET '/manage/health':

org.apache.catalina.connector.RequestFacade@2fdb2c31

servletPath:/manage/health
pathInfo:null
headers: 
host: localhost:8080
connection: keep-alive
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
dnt: 1
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  OAuth2AuthenticationProcessingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************


2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/css/**'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/js/**'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/images/**'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/**/favicon.ico'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/error'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token_key']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token_key'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/check_token']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/check_token'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4b33477f
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : matched
2016-02-03 14:18:24.255 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-02-03 14:18:24.256 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@21b24c95
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/logout'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor         : Token not found in headers. Trying request parameters.
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor         : Token not found in request parameters.  Not an OAuth2 request.
2016-02-03 14:18:24.258 DEBUG 18679 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2016-02-03 14:18:24.258 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-02-03 14:18:24.258 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-02-03 14:18:24.259 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-02-03 14:18:24.260 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-02-03 14:18:24.260 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-02-03 14:18:24.261 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-02-03 14:18:24.261 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-02-03 14:18:24.262 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /manage/health; Attributes: [#oauth2.throwOnError(authenticated)]
2016-02-03 14:18:24.262 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-02-03 14:18:24.267 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@42436610, returned: -1
2016-02-03 14:18:24.274 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
      at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232) ~[spring-security-core-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176) [spring-security-oauth2-2.0.8.RELEASE.jar:na]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:75) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:62) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103) [spring-boot-actuator-1.3.2.RELEASE.jar:1.3.2.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at javax.servlet.FilterChain$doFilter.call(Unknown Source) [javax.servlet-api-3.1.0.jar:3.1.0]

2016-02-03 14:18:24.275 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2016-02-03 14:18:24.294 DEBUG 18679 --- [nio-8080-exec-1] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="unauthorized", error_description="Full authentication is required to access this resource"] as "application/xhtml+xml" using [org.springframework.security.oauth2.http.converter.jaxb.JaxbOAuth2ExceptionMessageConverter@10314b6b]
2016-02-03 14:18:24.294 DEBUG 18679 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
quintonm picture quintonm on 3 Feb 2016

Also, I tried to override the default configuration using WebSecurityConfigurerAdapter with @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER). However, that did not seem to have any effect on the issue. I believe that this is due to ResourceServerConfiguration having an order of 3.

I did manage to work around the problem for the health endpoint by adding the following bean definition.

    @Bean
    ResourceServerConfigurer resourceServerConfigurer() {
        new ResourceServerConfigurerAdapter() {
            @Override
            void configure(ResourceServerSecurityConfigurer resources)
                    throws Exception {
                resources.resourceId('blah')
            }

            @Override
            void configure(HttpSecurity http) throws Exception {
                http.authorizeRequests()
                // allow anonymous access to health check endpoint
                        .antMatchers("/manage/health").permitAll()
                // everything else requires authentication
                        .anyRequest().authenticated()
            }
        }
    }
quintonm picture quintonm on 3 Feb 2016

Isn't this a more general issue with with the Actuator access setup. It has an @Order annotation that is '2147483637' (5 less than org.springframework.boot.autoconfigure.security.SecurityProperties.BASIC_AUTH_ORDER).

But as you add your own WebSecurityConfigurerAdapter to the app. It is ordered at 100 by default. And will disable this setup silently.

kristofferpeterhansel picture kristofferpeterhansel on 14 Apr 2016

Understanding the role of @Order and the values used in existing autoconfig is important here, but there is no issue per se in having orders defined the way they are. There _is_ an issue with anonymous authentication in spring oauth when you try to skip the resource server paths (see github issue in that project for more detail).

dsyer picture dsyer on 14 Apr 2016

Sure. @Order is important. But it hardly obvious to the user what is going on.

Right now the documented Spring Boot Actuator "sensitive endpoint" concept will stop working if you add your own WebSecurityConfigurerAdapter. And from what I can tell. That is not even mentioned in the documentation. So you very easily get in a situation where you expose all sensitive endpoints without realizing it. To either everyone who are authenticated on the service (the default for WebSecurityConfigurerAdapter) or maybe even everyone if you decide your own endpoints should default to anonymous access.

Isn't the whole point of Spring Boot that things in the framework should work without additional configuration if you are only doing standard things?

And one small detail. SecurityProperties.BASIC_AUTH_ORDER is set to Ordered.LOWEST_PRECEDENCE - 5 and ManagementWebSecurityConfigurerAdapter then subtracts another 5 from that. So basically we have 8 positions to play around with there. Making for a very tight little area of poorly documented order numbers that is apparently very important in this case

kristofferpeterhansel picture kristofferpeterhansel on 14 Apr 2016
👍1

maybe even everyone if you decide your own endpoints should default to anonymous access.

You can't stop people doing stupid things, so I don't think that scenario is worth a lot of attention, but some of your other points are interesting.

If something is not obvious then documentation is one answer. I don't actually think that the order properties are all that poorly documented (the javadocs have everything you need to know and they are mentioned several times in the user guide), but we can definitely add more if that helps.

Isn't the whole point of Spring Boot that things in the framework should work without additional configuration if you are only doing standard things?

That's one point of Spring Boot. Another is to let the user take control and get out of the way as quickly as possible if they show signs of wanting to do that. I suppose adding a WebSecurityConfigurerAdapter is a signal that the user wants to take control, so we assume at that point that she knows what she is doing. What you are saying is that this is a bad assumption, which is a fair point, since security configuration is hard and we don't want people to get it wrong if we see obvious antipatterns that can be avoided.

One thing we could do to make it harder to screw up is to change the SecurityProperties and ManagementProperties constants so that if a user adds a filter chain with default order (0) it slots into the SecurityProperties.ACCESS_OVERRIDE order.

dsyer picture dsyer on 16 Apr 2016

You can't stop people doing stupid things, so I don't think that scenario is worth a lot of attention, but some of your other points are interesting.

That is totally true. The point was that they do it expecting everything else to work the same as before (and when I say _they_ I - of course - mean me 馃槃). It is not entirely stupid to set permitAll as default if you protect your own endpoints and expect ones that are documented to do the same will continue to do so.

In hindsight - with better understanding - I can see why that failed. But going in I didn't know I needed that understanding of that particular system.

That's one point of Spring Boot. Another is to let the user take control and get out of the way as quickly as possible if they show signs of wanting to do that. I suppose adding a WebSecurityConfigurerAdapter is a signal that the user wants to take control, so we assume at that point that she knows what she is doing. What you are saying is that this is a bad assumption, which is a fair point, since security configuration is hard and we don't want people to get it wrong if we see obvious antipatterns that can be avoided
The trouble is there is a lot of a difference between taking control and fully knowing all the systems involved to know what will happen. Debugging why our sensitive actuator endpoints wasn't being protected to on a bit of a journey. Once I figured it out it made sense. But it was not all that obvious that this would happen just by adding a WebSecurityConfigurerAdapter that is maybe just used to set the authentication implementation.

One thing we could do to make it harder to screw up is to change the SecurityProperties and ManagementProperties constants so that if a user adds a filter chain with default order (0) it slots into the SecurityProperties.ACCESS_OVERRIDE order.

It is a bit of a problem with the whole order system in the first place. That it is just an integer. It works great if you control the entire system and can put things into the right order.

But when building separated modules it becomes hard to know where the right place for you will be. And indeed Actuator in this case tries to base the order of its WebSecurityConfigurerAdapter to be before something else it knows it needs to run before. But in the case of this issue, as I see it, the OAuth2 resource server config should never have knowledge of the Actuator code from Spring Boot. So it can't really tie into that. And we end up with a difficult issue to solve that will always work.

One thing that would help is if we expect the default (order 100) WebSecurityConfigurerAdapter to be the one that defines the default access for everything not specific (which it does by default). So everything that does specific part access should likely happen before that. And then order Order.HIGHEST_PRECEDENCE would be a good place to be - if it isn't going to clash with someone else using that constant 馃檮

kristofferpeterhansel picture kristofferpeterhansel on 16 Apr 2016

@dsyer anything else we can do for this one?

philwebb picture philwebb on 18 Jul 2016

Not in 1.4 I think (too late now). It's not really a bug though IMO. Maybe we can tweak the defaults to be less surprising in 1.5?

dsyer picture dsyer on 19 Jul 2016

Some feedback based on our own experience with OAuth 2.0 security in production :
I believe the most intuitive default would be to let the actuator security with HTTP Basic unless the user explicitely overrides it with something else, for example using @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER).
Maybe using a specific annotation would make it clearer.
The management endpoints serve a totally different purpose than business code, overriding their security should only be doable intentionally.

The reasoning behind this is that other forms of security proved unmanageable in production. We pushed a couple of apps with the management endpoints secured by OAuth 2.0, and our ops were rightfully pissed when they had to request a token in order to access metrics.
Also as stated earlier in this thread, it's too bad to lose the "sensitive" config once another security mechanism is configured, and it's not obvious even when you know a bit about Spring Security and Spring Boot.
We built our own OAuth 2.0 resource security starter before Spring Boot provided auto-configuration, and we ended up with the following defaults :

  • Basic for the actuator (no matter which port/context-path it runs on)
  • OAuth 2.0 bearer token required for anything else
michaeltecourt picture michaeltecourt on 20 Dec 2016

@quintonm Here is a workaround that I believe should be Spring Boot's default behavior, it does not involve rewriting actuator endpoints' path patterns which can get really tricky depending on management.contextPath and management.port :
http://stackoverflow.com/questions/35994813/spring-boot-oauth2-management-httpbasic-authentication/41431150#41431150

The idea is to extend ResourceServerConfiguration and downgrade its order by overriding the getOrder() method.

This way you only have to write an OAuth 2.0 resource configuration class (extending ResourceServerSecurityConfigurer), and leave the management security up to @dsyer.

michaeltecourt picture michaeltecourt on 2 Jan 2017

We could change this in 1.5 still. Probably neater to add a BeanPostProcessor that just calls the setter on the existing bean, rather than overriding the config class.

dsyer picture dsyer on 3 Jan 2017
👍1

馃憤 thanks I didn't see the setter, using a BeanPostProcessor is indeed very elegant. StackOverflow answer edited accordingly.

michaeltecourt picture michaeltecourt on 3 Jan 2017

Set security.oauth2.resource.filter-order=3 configuration property to restore the ordering used in previous versions. See fe344df for more details.

I agree about release notes remark, this was a breaking change for us as well.

vpavic picture vpavic on 10 Jan 2017

I have updated the release notes: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#oauth-2-resource-filter

wilkinsona picture wilkinsona on 12 Jan 2017
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bbrouwer picture bbrouwer  路  3Comments
snicoll picture snicoll  路  3Comments
wilkinsona picture wilkinsona  路  3Comments
zhanhb picture zhanhb  路  3Comments
shahid21st picture shahid21st  路  3Comments