probE466 probE466 - 1 month ago 10
Linux Question

Spring Security crash when deployed on Linux-Server

we've run into a problem with a Spring webservice.
We are using Spring Security to secure our admin backend in order to generate api keys. When we deploy it on our local machines (Windows and macOS) it works fine and the page loads. If we try to deploy it on a VM with Debian or Ubuntu, the not secured endpoints load fine, but as soon as we hit the admin backend, the server locks up and does not load the page. We've tried deploying it using the gradle task bootRun from the git repo, compiling a war and loading that into a tomcat instance and compiling a jar and running that, none of that worked. We do not get any exceptions in the console and it looks to be running fine, however, after we hit the backend no other page loads aswell, even the ones that were working before.

This is the Security Config

package me.probE466.config;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;


@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("user").password("password").roles("ADMIN");
}

protected void configure(HttpSecurity http) throws Exception {
http.csrf().ignoringAntMatchers("/post");
http.authorizeRequests()
.antMatchers("/admin/**")
.authenticated()
.antMatchers("/**").permitAll().and().httpBasic();
}
}


This is the Controller

@RequestMapping(value = "/admin", method = RequestMethod.GET)
public ModelAndView getTest() {
return new ModelAndView("addapi");
}

@RequestMapping(value = "/admin", method = RequestMethod.POST)
public
@ResponseBody
String addApiKey(@RequestParam("userName") String userName) {
User user = new User();
String key = generateSecureApiKey(32);
user.setUserKey(key);
user.setUserName(userName);
userRepository.save(user);
return key;
}


This is our build.gradle

buildscript {
ext {
springBootVersion = '1.4.1.RELEASE'
}
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
}
}

apply plugin: 'java'
apply plugin: 'spring-boot'

jar {
baseName = 'push'
version = '0.0.1-SNAPSHOT'
}
sourceCompatibility = 1.8
targetCompatibility = 1.8

repositories {
mavenCentral()
}


dependencies {
compile("mysql:mysql-connector-java:5.1.34")
compile('org.springframework.boot:spring-boot-starter-data-jpa')
compile('org.thymeleaf:thymeleaf-spring4')
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.boot:spring-boot-starter-web')
// https://mvnrepository.com/artifact/commons-lang/commons-lang
compile group: 'commons-lang', name: 'commons-lang', version: '2.6'



testCompile('org.springframework.boot:spring-boot-starter-test')
}


for further reference, this is the git repo:

https://github.com/probE466/push

Any help would be appreciated

Answer

Okay, we figured it out...:

In the getting started of Spring security(should have read that more closely) it says:

package hello;

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/home").setViewName("home");
        registry.addViewController("/").setViewName("home");
        registry.addViewController("/hello").setViewName("hello");
        registry.addViewController("/login").setViewName("login");
    }

}

This was missing in our configuration. Still don't know why it worked on our client(it still works without it on them) but not on the linux box, but after we added it, it worked fine there too. For future reference: Every protected controller NEEDS to be registered here... at least on our server

Comments