When we deploy our Spring Boot app to Azure Web App, the JSESSIONID cookie is not created, and it looks like there is no session at all.
This is our Spring Security session config:
private void setSessionManagement(HttpSecurity http) throws Exception {
http.sessionManagement()
.enableSessionUrlRewriting(false)
.sessionFixation()
.migrateSession()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.invalidSessionStrategy(invalidSessionStrategy);
//.maximumSessions(1)
//.expiredSessionStrategy(expiredSessionStrategy);
}
When we run in locally in Docker/IntelliJ, it is created. Besides this, I have already set the ARR affinity 'On' under the Configuration > General settings, but still no luck.
Edit:
Found the issue, we had to update Spring Boot: 2.3.5.RELEASE -> 2.5.4
I am tried with latest Spring Boot version 2.5.4 I am not getting any issue. I can see the JSESSIONID cookie has created.
Seems like the some session issues has been fixed in the update. Release v2.5.4 · spring-projects/spring-boot
I hope your issue has fixed with latest version.
Related
I am upgrading my jhipster application to the latest jhipster version which is 7.6.0.
Jhipster 7.6.0 introduces latest version of spring boot (2.6.3) and spring framework (5.3.15)
For security configuration class, I am still using the annotations from spring web mvc and I am not using spring web reactive. At this point, I dont want to switch to web reactive.
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
#Import(SecurityProblemSupport.class)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter { }
After compiling, building and starting my application, If I hit the login url, then I get below error on the screen
Login with OAuth 2.0
[invalid_user_info_response] An error occurred while attempting to retrieve the UserInfo Resource: 403 Forbidden: [no body]
Browser's DevTools console shows that OAuth/authorization end point is returning with 200 http status with no values for session id and token, whereas ideally the end point should return with http status 302 along with session id and token.
I suspect, its related to the changes introduced by the version upgrade, because If I switch back to the older branch of the source code (having older version of jhipster like 6.4.1 and spring) , then the login works just fine.
Can anyone suggest what could be the possible reason behind this issue?
I believe that the 'authorize' end point returning 200 response with missing session id and token is surely one of the reasons.
Please guide me on this.
Thanks.
Thanks for the details. I have found the root cause. For the latest version of spring security, oidc: scope needs to be mentioned explicitly. something like this - scope: openid,profile,email. Adding this scope in application yml fixed the issue. –
UPDATE:
This problem exists in jetty from 9.4.25.v20191220, i have set the version back to 9.4.24 it correctly serves. Whether this is a bug or change of configuration I don't know.
Maybe someone can help, i appreciate this is all configuration issues but I've only had this issue having upgrade spring-boot-starter-parent to 2.1.13-RELEASE from 2.1.10-RELEASE.
Using #SpringBootApplication and everything else default, except with the following WebMvcConfigurer (found in another post here)
#Configuration
public class WebApplicationConfiguration implements WebMvcConfigurer
{
#Override
public void addViewControllers(ViewControllerRegistry registry)
{
registry
.addViewController("/{spring:\\w+}")
.setViewName("forward:/");
registry
.addViewController("/**/{spring:\\w+}")
.setViewName("forward:/");
registry
.addViewController("/{spring:\\w+}/**{spring:?!(\\.js|\\.css|\\.svg)$}")
.setViewName("forward:/");
}
}
Using Jetty, and with an angular project present at \src\resources\public\ including a index.html in the public directory.
In the previous spring version I could navigate to localhost:8080 and it would direct automatically to localhost:8080/list this is setup up as the redirect within the angular project index file.
But now using 2.1.13 i have to explicitly go to localhost:8080/index.html which does work, redirects to /list and i can navigate the website, but if i refresh the page or if i went explicitly to :8080/list i get whitelabel error 500
I've tried:
1.
Adding various other view controller rules:
registry.addViewController("/").setViewName("forward:/index.html");
registry.addViewController("/").setViewName("forward:index.html");
registry.addViewController("/**").setViewName("forward:index.html");
... But I don't think these are the problem anyway.
2.
Viewed ResourceHandlerRegistry to see the default resource locations, so it should pick up my index.html file.
3.
Adding spring.resources.static-locations=classpath:/public/xxx/**
I then get by going to localhost:8080/xxx/ or localhost:8080/xxx/index.html whitelabel 404
I upgraded spring due to security vulnerabilities, so currently tempted to go back to 2.1.10 or 11, and pull only the dependency versions required to mitigate vulnerabilities. I'd just like to understand what is going wrong, and obviously don't enjoy being defeated.
Does anyone know if there is changelogs for versions of spring that would shed any light to what has changed? I guess it could be due to any number of dependent projects though.
So it turns out that whatever the issue was it is fixed in jetty 9.4.27.v20200227.
Spring Boot releases from 2.1.10 contained new Jetty version for each release, with now release currently using 9.4.27.
Using spring boot 2.1.13-RELEASE with 9.4.27.v20200227, returns forwarding to what is expected with localhost:8080 loading /list
I'm having trouble getting the client to connect to a WebSocket endpoint when the Spring-Boot 2.2 application is started in lazy-init mode.
I was able to get this Spring.io tutorial to work. It uses spring-boot-starter-parent version 2.1.6. I changed the pom.xml to use spring-boot-starter-parent version 2.2.0 and got it to work also.
But when I set spring.main.lazy-initialization=true in application.properties, the client does not connect to the server via WebSocket anymore when I click on the "Connect" button. In Chrome Developer Tool > Network > WebSocket, I see that the client sends a CONNECT request, but it never receives a "CONNECTED" response.
I've uploaded my project file to GitHub here:
https://github.com/hirokiterashima/spring-boot-stomp-messaging-websocket. The first commit is the 'complete' directory of the original project in the Spring.io tutorial, which uses Spring-Boot 2.1.6: https://github.com/spring-guides/gs-messaging-stomp-websocket/tree/master/complete. The second commit contains my changes to pom.xml to use Spring-Boot 2.2.0 and addition of application.properties file to enable lazy initialization. As you can see, all I did in the second commit was change to Spring Boot 2.2.0, updated the jQuery webjars dependency, and enabled lazy initialization. If you comment-out the spring.main.lazy-initialization line in application.properties, it will work.
Did anybody else come across a similar issue? What can I do to make this work?
Thanks for your help!
just register the following #Bean:
#Bean
public LazyInitializationExcludeFilter stompWebSocketHandlerMappingLazyInitializationExcludeFilter() {
return LazyInitializationExcludeFilter.forBeanTypes(HandlerMapping.class);
}
or
#Bean
public LazyInitializationExcludeFilter stompWebSocketHandlerMappingLazyInitializationExcludeFilter() {
return ((beanName, beanDefinition, beanType) -> beanName.equals("stompWebSocketHandlerMapping"));
}
We have Spring Boot Admin Version-2.0.3 and corresponding Client Version.
Our spring boot instances are deployed to Pivotal Cloud Foundry.
Everything works great, until we deploy a new version of a spring boot instance. A new internal url is generated for the instance, and get registered to admin. But it didn't deregister the removed instance from the admin.
So it leaves spring boot admin in an inconsistent state. such as:
how can I make the registered instance deregister itself when it gets destryed.
I have tried setting:
spring.boot.admin.client.auto-deregistration = true
But it doesn't work as hoped.
The setting auto-deregistration=true causes your client application to send a http delete call to the server on endpoint /instances/{id}. Csrf checking must be disabled for this endpoint as well on the server. This configuration was missing in the sample securityconfiguration in the spring boot admin documentation. ( See https://github.com/codecentric/spring-boot-admin/issues/1251 )
To fix this, replace
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringAntMatchers(adminContextPath + "/instances", adminContextPath + "/actuator/**");
With
.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.ignoringRequestMatchers(
new AntPathRequestMatcher(adminContextPath + "/instances", HttpMethod.POST.toString()),
new AntPathRequestMatcher(adminContextPath + "/instances/*", HttpMethod.DELETE.toString()),
new AntPathRequestMatcher(adminContextPath + "/actuator/**")
);
After signing in to the Azure Active Directory I get a 401 back from the POST to https://login.microsoftonline.com/common/oauth2/token.
I registered my application in my AD and gave it the permissions user.read and .... I changed the manifest and set oauth2AllowImplicitFlow to true.
Tenant id, client id and client secret are correctly filled in. I tried to change them to double check and changed it to the correct ones.
The web security config is the following, this is from the Microsoft/azure-spring-boot repository.
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
class AADOAuth2LoginSecurityConfig(private val oidcUserService: OAuth2UserService<OidcUserRequest, OidcUser>) : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userInfoEndpoint()
.oidcUserService(oidcUserService)
}
}
If I clone the sample and fill in the required configuration in application.properties everything works fine. If I start a brand new project, add the security, web, azure active directory, spring-security-oauth2-client and spring-security-oauth2-jose I get the 401.
The versions in use are the following
Spring Boot
2.1.0.RELEASE
Azure Spring Boot Version
2.0.7
application.properties
spring.security.oauth2.client.registration.azure.client-id=xxxxxx
spring.security.oauth2.client.registration.azure.client-secret=xxxxxx
azure.activedirectory.tenant-id=xxxxxx
azure.activedirectory.active-directory-groups=Users
After spitting through the debug logs the only difference I can see between the sample and the fresh project is that the HTTP Basic auth is different. The old version URL encodes the password (it contains non-url-safe characters) and then base64 encodes it as a whole base64(clientId:urlEncode(clientSecret)). The new version does not do this, can this be the actual problem? If so, how can I solve it since it's a change in the library then.