Skip to content

non-sensitive actuator endpoints require full authentication when @EnableResourceServer is used (oauth2) #5072

New issue
New issue
Closed
Closed
non-sensitive actuator endpoints require full authentication when @EnableResourceServer is used (oauth2)#5072
Assignees
dsyer
Labels
type: enhancementA general enhancement
Milestone
 
1.5.0 RC1
@quintonm

Description

@quintonm
quintonm
opened on Feb 2, 2016

According to the docs for 1.3 for health access restrictions, a non-sensitive health endpoint should allow anonymous access. However, this stops working if the @EnableResourceServer annotation is found. When the OAuth2 resource server is enabled, even non-sensitive endpoints require full authentication.

Activity

spring-projects-issues
added
status: waiting-for-triageAn issue we've not yet triaged
on Feb 2, 2016
arosini
mentioned this on Feb 3, 2016
philwebb
added
type: bugA general bug
and removed
status: waiting-for-triageAn issue we've not yet triaged
on Feb 3, 2016
philwebb
added this to the 1.3.3 milestone on Feb 3, 2016
philwebb

philwebb commented on Feb 3, 2016

@philwebb
philwebb
on Feb 3, 2016
Member

@dsyer does the OAuth auto-config mess with security at all?

dsyer

dsyer commented on Feb 3, 2016

@dsyer
dsyer
on Feb 3, 2016
Member

If you @EnableResourceServer and don't provide an order for the filter I guess it's going to be before the actuator one. We could change the default order?

quintonm

quintonm commented on Feb 3, 2016

@quintonm
quintonm
on Feb 3, 2016
Author

I am not sure if this will be helpful or not, but here are the log statements for initialization and a request to the health endpoint. The only non-default configuration I have that affects the actuators is management.contextPath=/manage.

2016-02-03 14:13:22.926 DEBUG 18679 --- [  restartedMain] com.iscs.api.authentication.Application  : Running with Spring Boot v1.3.2.RELEASE, Spring v4.2.4.RELEASE
2016-02-03 14:13:25.474  INFO 18679 --- [  restartedMain] org.apache.catalina.core.StandardEngine  : Starting Servlet Engine: Apache Tomcat/8.0.30
2016-02-03 14:13:25.567  INFO 18679 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2016-02-03 14:13:26.107  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'metricFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'characterEncodingFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'httpPutFormContentFilter' to: [/*]
2016-02-03 14:13:26.108  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'requestContextFilter' to: [/*]
2016-02-03 14:13:26.111  INFO 18679 --- [ost-startStop-1] .e.DelegatingFilterProxyRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2016-02-03 14:13:26.111  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'webRequestLoggingFilter' to: [/*]
2016-02-03 14:13:26.112  INFO 18679 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'applicationContextIdFilter' to: [/*]
2016-02-03 14:13:26.112  INFO 18679 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean        : Mapping servlet: 'dispatcherServlet' to [/]
2016-02-03 14:13:26.458 DEBUG 18679 --- [ost-startStop-1] eGlobalAuthenticationAutowiredConfigurer : Eagerly initializing {org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration=org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration$$EnhancerBySpringCGLIB$$87675bbc@3858f6fe}
2016-02-03 14:13:26.876 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Looking for request mappings in application context: org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@40ea3071: startup date [Wed Feb 03 14:13:22 CST 2016]; root of context hierarchy
2016-02-03 14:13:26.896 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 2 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint: {public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map,java.util.Map,org.springframework.web.bind.support.SessionStatus,java.security.Principal)={[/oauth/authorize]}, public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map,java.util.Map,org.springframework.web.bind.support.SessionStatus,java.security.Principal)={[/oauth/authorize],methods=[POST],params=[user_oauth_approval]}}
2016-02-03 14:13:26.897  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/authorize]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
2016-02-03 14:13:26.898  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/authorize],methods=[POST],params=[user_oauth_approval]}" onto public org.springframework.web.servlet.View org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.approveOrDeny(java.util.Map<java.lang.String, java.lang.String>,java.util.Map<java.lang.String, ?>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)
2016-02-03 14:13:26.901 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 2 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.TokenEndpoint: {public org.springframework.http.ResponseEntity org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map) throws org.springframework.web.HttpRequestMethodNotSupportedException={[/oauth/token],methods=[GET]}, public org.springframework.http.ResponseEntity org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(java.security.Principal,java.util.Map) throws org.springframework.web.HttpRequestMethodNotSupportedException={[/oauth/token],methods=[POST]}}
2016-02-03 14:13:26.901  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/token],methods=[GET]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.getAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException
2016-02-03 14:13:26.901  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/token],methods=[POST]}" onto public org.springframework.http.ResponseEntity<org.springframework.security.oauth2.common.OAuth2AccessToken> org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(java.security.Principal,java.util.Map<java.lang.String, java.lang.String>) throws org.springframework.web.HttpRequestMethodNotSupportedException
2016-02-03 14:13:26.903 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint: {public java.util.Map org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint.checkToken(java.lang.String)={[/oauth/check_token]}}
2016-02-03 14:13:26.903  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/check_token]}" onto public java.util.Map<java.lang.String, ?> org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint.checkToken(java.lang.String)
2016-02-03 14:13:26.904 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint: {public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map,javax.servlet.http.HttpServletRequest) throws java.lang.Exception={[/oauth/confirm_access]}}
2016-02-03 14:13:26.904  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/confirm_access]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelApprovalEndpoint.getAccessConfirmation(java.util.Map<java.lang.String, java.lang.Object>,javax.servlet.http.HttpServletRequest) throws java.lang.Exception
2016-02-03 14:13:26.904 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint: {public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint.handleError(javax.servlet.http.HttpServletRequest)={[/oauth/error]}}
2016-02-03 14:13:26.905  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/error]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.WhitelabelErrorEndpoint.handleError(javax.servlet.http.HttpServletRequest)
2016-02-03 14:13:26.907 DEBUG 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : 1 request handler methods found on class org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint: {public java.util.Map org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint.getKey(java.security.Principal)={[/oauth/token_key],methods=[GET]}}
2016-02-03 14:13:26.907  INFO 18679 --- [ost-startStop-1] .s.o.p.e.FrameworkEndpointHandlerMapping : Mapped "{[/oauth/token_key],methods=[GET]}" onto public java.util.Map<java.lang.String, java.lang.String> org.springframework.security.oauth2.provider.endpoint.TokenKeyEndpoint.getKey(java.security.Principal)
2016-02-03 14:13:26.946  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/css/**'], Ant [pattern='/js/**'], Ant [pattern='/images/**'], Ant [pattern='/**/favicon.ico'], Ant [pattern='/error']]], []
2016-02-03 14:13:27.001 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'fullyAuthenticated', for Ant [pattern='/oauth/token']
2016-02-03 14:13:27.002 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/token_key']
2016-02-03 14:13:27.002 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'isAuthenticated()', for Ant [pattern='/oauth/check_token']
2016-02-03 14:13:27.009 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.010 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.019  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/oauth/token'], Ant [pattern='/oauth/token_key'], Ant [pattern='/oauth/check_token']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@1c0fffcd, org.springframework.security.web.context.SecurityContextPersistenceFilter@5db122b0, org.springframework.security.web.header.HeaderWriterFilter@43e1bd3c, org.springframework.security.web.authentication.logout.LogoutFilter@1a5656c3, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@182b15bc, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@20a9eabb, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@3ddbb523, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@622392, org.springframework.security.web.session.SessionManagementFilter@670b4970, org.springframework.security.web.access.ExceptionTranslationFilter@5ff345ea, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4b8ddeee]
2016-02-03 14:13:27.032 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'authenticated', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-02-03 14:13:27.033 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.033 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.033  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4b33477f]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4f7fadf6, org.springframework.security.web.context.SecurityContextPersistenceFilter@2429fe51, org.springframework.security.web.header.HeaderWriterFilter@2fc2fc4a, org.springframework.security.web.authentication.logout.LogoutFilter@5f93ff29, org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@721eb8d, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@7b9a6c68, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@4302fffd, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@3e0d2133, org.springframework.security.web.session.SessionManagementFilter@18608db1, org.springframework.security.web.access.ExceptionTranslationFilter@93adad6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@4346b119]
2016-02-03 14:13:27.037 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'permitAll', for org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration$LazyEndpointPathRequestMatcher@4765d070
2016-02-03 14:13:27.038 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasRole('ROLE_ADMIN')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-02-03 14:13:27.039 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.040 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.040  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: Ant [pattern='/manage/**'], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@282abc01, org.springframework.security.web.context.SecurityContextPersistenceFilter@37de1b2b, org.springframework.security.web.header.HeaderWriterFilter@3a365b84, org.springframework.security.web.authentication.logout.LogoutFilter@a5840c, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@1eba4275, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2244a646, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2a2623f1, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1050ce2c, org.springframework.security.web.session.SessionManagementFilter@2af01b32, org.springframework.security.web.access.ExceptionTranslationFilter@602ea422, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@60395d60]
2016-02-03 14:13:27.042 DEBUG 18679 --- [ost-startStop-1] edFilterInvocationSecurityMetadataSource : Adding web access control expression 'hasAnyRole('ROLE_USER','ROLE_ADMIN')', for org.springframework.security.web.util.matcher.AnyRequestMatcher@1
2016-02-03 14:13:27.042 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.042 DEBUG 18679 --- [ost-startStop-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Validated configuration attributes
2016-02-03 14:13:27.042  INFO 18679 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: OrRequestMatcher [requestMatchers=[Ant [pattern='/**']]], [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@71ab9b21, org.springframework.security.web.context.SecurityContextPersistenceFilter@1ec3914f, org.springframework.security.web.header.HeaderWriterFilter@23f77658, org.springframework.security.web.authentication.logout.LogoutFilter@79639d17, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@7b28329d, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@209d6b99, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@38c08c64, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@17c02eac, org.springframework.security.web.session.SessionManagementFilter@51821c0f, org.springframework.security.web.access.ExceptionTranslationFilter@7be8a117, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@53d592d6]
2016-02-03 14:13:49.829  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/env/{name:.*}],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EnvironmentMvcEndpoint.value(java.lang.String)
2016-02-03 14:13:49.829  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/env || /manage/env.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.830  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/beans || /manage/beans.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.830  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/dump || /manage/dump.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.831  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/buildscriptDependencies || /manage/buildscriptDependencies.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.831  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/trace || /manage/trace.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.832  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage || /manage.json],produces=[application/json]}" onto public org.springframework.hateoas.ResourceSupport org.springframework.boot.actuate.endpoint.mvc.HalJsonMvcEndpoint.links()
2016-02-03 14:13:49.833  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/configuration || /manage/configuration.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.833  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/info || /manage/info.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.834  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/runtimeDependencies || /manage/runtimeDependencies.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.834  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/mappings || /manage/mappings.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.834  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/autoconfig || /manage/autoconfig.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.835  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/metrics/{name:.*}],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.MetricsMvcEndpoint.value(java.lang.String)
2016-02-03 14:13:49.835  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/metrics || /manage/metrics.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.836  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/configprops || /manage/configprops.json],methods=[GET],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter.invoke()
2016-02-03 14:13:49.836  INFO 18679 --- [  restartedMain] o.s.b.a.e.mvc.EndpointHandlerMapping     : Mapped "{[/manage/health || /manage/health.json],produces=[application/json]}" onto public java.lang.Object org.springframework.boot.actuate.endpoint.mvc.HealthMvcEndpoint.invoke(java.security.Principal)
2016-02-03 14:13:56.770  INFO 18679 --- [  restartedMain] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 8080 (http)
2016-02-03 14:13:56.778  INFO 18679 --- [  restartedMain] com.iscs.api.authentication.Application  : Started Application in 35.763 seconds (JVM running for 36.508)


2016-02-03 14:18:24.149  INFO 18679 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/css/**'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/js/**'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/images/**'
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2016-02-03 14:18:24.225 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/**/favicon.ico'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/error'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token_key']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token_key'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/check_token']
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/check_token'
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4b33477f
2016-02-03 14:18:24.226 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : matched
2016-02-03 14:18:24.227  INFO 18679 --- [nio-8080-exec-1] Spring Security Debugger                 : 

************************************************************

Request received for GET '/manage/health':

org.apache.catalina.connector.RequestFacade@2fdb2c31

servletPath:/manage/health
pathInfo:null
headers: 
host: localhost:8080
connection: keep-alive
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
dnt: 1
accept-encoding: gzip, deflate, sdch
accept-language: en-US,en;q=0.8


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  OAuth2AuthenticationProcessingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************


2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/css/**']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/css/**'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/js/**']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/js/**'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/images/**']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/images/**'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/**/favicon.ico']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/**/favicon.ico'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/error']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/error'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/token_key']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/token_key'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using Ant [pattern='/oauth/check_token']
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/oauth/check_token'
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : Trying to match using org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@4b33477f
2016-02-03 14:18:24.254 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.web.util.matcher.OrRequestMatcher  : matched
2016-02-03 14:18:24.255 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2016-02-03 14:18:24.256 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@21b24c95
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/manage/health'; against '/logout'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor         : Token not found in headers. Trying request parameters.
2016-02-03 14:18:24.257 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.o.p.a.BearerTokenExtractor         : Token not found in request parameters.  Not an OAuth2 request.
2016-02-03 14:18:24.258 DEBUG 18679 --- [nio-8080-exec-1] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2016-02-03 14:18:24.258 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2016-02-03 14:18:24.258 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2016-02-03 14:18:24.259 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2016-02-03 14:18:24.260 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2016-02-03 14:18:24.260 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2016-02-03 14:18:24.261 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2016-02-03 14:18:24.261 DEBUG 18679 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : /manage/health at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2016-02-03 14:18:24.262 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /manage/health; Attributes: [#oauth2.throwOnError(authenticated)]
2016-02-03 14:18:24.262 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2016-02-03 14:18:24.267 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@42436610, returned: -1
2016-02-03 14:18:24.274 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
      at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83) ~[spring-security-core-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:232) ~[spring-security-core-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123) ~[spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90) ~[spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) ~[spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:169) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:176) [spring-security-oauth2-2.0.8.RELEASE.jar:na]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest(DebugFilter.java:75) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.security.web.debug.DebugFilter.doFilter(DebugFilter.java:62) [spring-security-web-4.0.3.RELEASE.jar:4.0.3.RELEASE]
      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:87) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103) [spring-boot-actuator-1.3.2.RELEASE.jar:1.3.2.RELEASE]
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [tomcat-embed-core-8.0.30.jar:8.0.30]
      at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) [spring-web-4.2.4.RELEASE.jar:4.2.4.RELEASE]
      at javax.servlet.FilterChain$doFilter.call(Unknown Source) [javax.servlet-api-3.1.0.jar:3.1.0]

2016-02-03 14:18:24.275 DEBUG 18679 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Calling Authentication entry point.
2016-02-03 14:18:24.294 DEBUG 18679 --- [nio-8080-exec-1] s.s.o.p.e.DefaultOAuth2ExceptionRenderer : Written [error="unauthorized", error_description="Full authentication is required to access this resource"] as "application/xhtml+xml" using [org.springframework.security.oauth2.http.converter.jaxb.JaxbOAuth2ExceptionMessageConverter@10314b6b]
2016-02-03 14:18:24.294 DEBUG 18679 --- [nio-8080-exec-1] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
quintonm

quintonm commented on Feb 3, 2016

@quintonm
quintonm
on Feb 3, 2016
Author

Also, I tried to override the default configuration using WebSecurityConfigurerAdapter with @order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER). However, that did not seem to have any effect on the issue. I believe that this is due to ResourceServerConfiguration having an order of 3.

I did manage to work around the problem for the health endpoint by adding the following bean definition.

    @Bean
    ResourceServerConfigurer resourceServerConfigurer() {
        new ResourceServerConfigurerAdapter() {
            @Override
            void configure(ResourceServerSecurityConfigurer resources)
                    throws Exception {
                resources.resourceId('blah')
            }

            @Override
            void configure(HttpSecurity http) throws Exception {
                http.authorizeRequests()
                // allow anonymous access to health check endpoint
                        .antMatchers("/manage/health").permitAll()
                // everything else requires authentication
                        .anyRequest().authenticated()
            }
        }
    }
philwebb
modified the milestones: 1.3.3, 1.3.4 on Feb 26, 2016
kristofferpeterhansel

kristofferpeterhansel commented on Apr 14, 2016

@kristofferpeterhansel
kristofferpeterhansel
on Apr 14, 2016

Isn't this a more general issue with with the Actuator access setup. It has an @order annotation that is '2147483637' (5 less than org.springframework.boot.autoconfigure.security.SecurityProperties.BASIC_AUTH_ORDER).

But as you add your own WebSecurityConfigurerAdapter to the app. It is ordered at 100 by default. And will disable this setup silently.

dsyer

dsyer commented on Apr 14, 2016

@dsyer
dsyer
on Apr 14, 2016
Member

Understanding the role of @Order and the values used in existing autoconfig is important here, but there is no issue per se in having orders defined the way they are. There is an issue with anonymous authentication in spring oauth when you try to skip the resource server paths (see github issue in that project for more detail).

53 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @dsyer@snicoll@philwebb@wilkinsona@quintonm

      Issue actions
        non-sensitive actuator endpoints require full authentication when @EnableResourceServer is used (oauth2) · Issue #5072 · spring-projects/spring-boot