Yes - if you look at securityContext, you can see that TenantAwareTenantIdentifierFilter is only applied in the “oauth” profile. It doesn’t get used in the basicauth scenario.
I think there are actually two different issues here: 1. TenantAwareTenantIdentifierFilter rejects the request to /actuator/health because it has no tenant identifier in it. But even if we work around this by adding a check for the specific path /fineract-provider/actuator/health and bypassing the check, we hit the next issue 2. In oauth profile, Spring does not register DispatcherServlet as it thinks it has already been registered. So even if the filter is bypassed, you end up with 404 because there is no DispatcherServlet to route the call to the Spring Actuator. I think the 2nd problem is because one of the filters used for oauth gets registered as a servlet filter - this seems to be default behaviour of Spring. See here for example: "One last thing: In case you are using a custom authentication filter (e.g. for token based authentication) you might have to take care that you don't register your filter as a Servlet Filter as well. You can influence that by configuring a method returning a FilterRegistrationBean and accepting an instance of your Filter. just create a new FilterRegistrationBean for your filter and set enabled to false.” from http://blog.florian-hopf.de/2017/08/spring-security.html <http://blog.florian-hopf.de/2017/08/spring-security.html> But oauth / Spring Security is not my area of expertise, so would be great if someone with more knowledge could comment (and ideally, provide a fix)… Regards Petri > On 8 Oct 2020, at 11:44 PM, reza sohbati <[email protected]> wrote: > > Thank you for your response. > I ran the code with the basic profile and I put the breakpoint in > TenantAwareBasicAuthenticationFilter.java class. by calling /actuator/health > I realized that this filter does not execute in the actuator endpoints, But > in oauth profile mode the filer TenantAwareTenantIdentifierFilter.java > executes. > I think maybe the problem is in securityContext.xml configuration. I checked > it but I couldn't find out any differences. > > > On Thu, Oct 8, 2020 at 6:58 AM Petri Tuomola <[email protected] > <mailto:[email protected]>> wrote: > I took a quick look at this: I think the problem is that > TenantAwareTenantIdentifierFilter rejects the request with > InvalidTenantIdentiferException because the URL > (/fineract-provider/actuator/health) does not have a tenant identifier. > > I’m not an expert on Spring Security, but I’m assuming this means the > custom-filter tag in securityContext that we use to insert the > TenantAwareTenantIdentifierFilter doesn’t actually “respect” the URL pattern > specified in the enclosing http tags: i.e. the custom filter gets inserted to > the filter chain for all URLs, not for ones matching the specific URL > pattern. > > Regards > Petri > >> On 7 Oct 2020, at 10:31 PM, Yemdjih Kaze Nasser <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> What does the call to actuator/health return? >> >> On Wed, Oct 7, 2020 at 12:27 PM reza sohbati <[email protected] >> <mailto:[email protected]>> wrote: >> Hello everyone >> >> When I build the Fineract with -Psecurity=oauth argument, everything is OK >> but the actuator health API does not return the proper value. >> I try to call this API : >> fineract-provider/actuator/health >> >> Thank you >> >> >
