Description
As reported on the Dev mailing list, when you start Fineract in the oauth mode, the health actuator URL does not work - it returns 404 instead.
This seems to be related to the TenantAwareTenantIdentifiedFilter:
If you look at securityContext, you can see that TenantAwareTenantIdentifierFilter is only applied in the “oauth” profile. It doesn’t get used in the basicauth scenario.
I think there are actually two different issues here:
1. TenantAwareTenantIdentifierFilter rejects the request to /actuator/health because it has no tenant identifier in it. But even if we work around this by adding a check for the specific path /fineract-provider/actuator/health and bypassing the check, we hit the next issue
2. In oauth profile, Spring does not register DispatcherServlet as it thinks it has already been registered. So even if the filter is bypassed, you end up with 404 because there is no DispatcherServlet to route the call to the Spring Actuator.
I think the 2nd problem is because one of the filters used for oauth gets registered as a servlet filter - this seems to be default behaviour of Spring. See here for example:
"One last thing: In case you are using a custom authentication filter (e.g. for token based authentication) you might have to take care that you don't register your filter as a Servlet Filter as well. You can influence that by configuring a method returning a FilterRegistrationBean and accepting an instance of your Filter. just create a new FilterRegistrationBean for your filter and set enabled to false.” from http://blog.florian-hopf.de/2017/08/spring-security.html
But oauth / Spring Security is not my area of expertise, so would be great if someone with more knowledge could comment (and ideally, provide a fix)…
Attachments
Issue Links
- is fixed by
-
FINERACT-1012 Spring Security OAuth 2.x to Spring Security 5.2.x
- Resolved