Spring-boot: Migrating OAuth2 from Spring Boot 1.5 to 2.0 Broken

Created on 28 Mar 2018  路  7Comments  路  Source: spring-projects/spring-boot

I am migrating from Spring Boot 1.5 to 2.0. When providing a success handler to HttpSecurity, a ClassNotFoundException is thrown for org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter. Here's a simple way to reproduce:

@Configuration
@EnableOAuth2Sso
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher("/**").authorizeRequests()
                .antMatchers("/", "/login**", "/")
                .permitAll()
                .anyRequest()
                .authenticated().and().oauth2Login().successHandler(new SecurityHandler());
    }
}

and SecurityHandler:

@Component
public class SecurityHandler implements AuthenticationSuccessHandler {
    @Override
    public void onAuthenticationSuccess(HttpServletRequest var1, HttpServletResponse var2, Authentication var3) throws IOException, ServletException {
    }
}

Everything works fine until you add the successHandler. At that point, Spring fails to boot due to the class not found:

Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381) ~[na:1.8.0_121]
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[na:1.8.0_121]
    at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:94) ~[patriotic-web.jar:0.0.1-SNAPSHOT]
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[na:1.8.0_121]
    ... 56 common frames omitted
invalid
Source
picture willfitch

Most helpful comment

For the failure you're seeing, you need to define some spring.security.oauth2.client properties like this. Check out the updated documentation for details.

picture philwebb on 28 Mar 2018
👍2

All 7 comments

@willfitch Do you have the spring-security-oauth2-client jar on your classpath? See this section of the docs

philwebb picture philwebb on 28 Mar 2018
👍1

Thanks @philwebb. I did add that dependency:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
    <version>5.0.3.RELEASE</version>
</dependency>

Now, a completely unexpected issue has arisen:

***************************
APPLICATION FAILED TO START
***************************

Description:

Method springSecurityFilterChain in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a bean of type 'org.springframework.security.oauth2.client.registration.ClientRegistrationRepository' that could not be found.
    - Bean method 'clientRegistrationRepository' not loaded because OAuth2 Clients Configured Condition registered clients is not available


Action:

Consider revisiting the conditions above or defining a bean of type 'org.springframework.security.oauth2.client.registration.ClientRegistrationRepository' in your configuration.

A couple of questions:

  1. Is the OAuth2 client requirement emitted from Spring Boot for a reason?
  2. Following up on the above, there doesn't seem to be a decent migration plan for the above use case demonstrating existing OAuth2 integrations that simply require a "hook" once authentication is successful. Are you aware of any?
willfitch picture willfitch on 28 Mar 2018

Is the OAuth2 client requirement emitted from Spring Boot for a reason?

Yeah, we didn't want to include it in the security starter because not everyone will need OAuth login support. Adding a dedicated starter with just one dependency also didn't seem sensible.

...demonstrating existing OAuth2 integrations that simply require a "hook" once authentication is successful

I'm not, @mbhave might know of one. Our sample doesn't use the successHandler hook.

philwebb picture philwebb on 28 Mar 2018

For the failure you're seeing, you need to define some spring.security.oauth2.client properties like this. Check out the updated documentation for details.

philwebb picture philwebb on 28 Mar 2018
👍2

Appreciate your help, @philwebb

willfitch picture willfitch on 28 Mar 2018

@philwebb hi! I faced the same problem. OAuth2 worked fine, but when I added(from this answer):

 http.oauth2Login().failureHandler(new CustomAuthenticationFailureHandler());

then I got ClassNotFoundException. After that I added spring-security-oauth2-client and got 

Bean method 'clientRegistrationRepository' not loaded because OAuth2 Clients Configured Condition registered clients is not available

Do I need to add these properties, if I already have oauth_client_details table with my clients in my DB and all worked fine until failureHandler()?

konstantin-doncov picture konstantin-doncov on 25 Jun 2019

@don-prog Please ask questions on stackoverflow.com

philwebb picture philwebb on 25 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

philwebb picture philwebb  路  3Comments
lievendoclo picture lievendoclo  路  3Comments
alimate picture alimate  路  3Comments
binarylegit picture binarylegit  路  3Comments
izeye picture izeye  路  3Comments