[jira] [Created] (FINERACT-1282) Health actuator gives 404 when in oauth mode

Tue, 15 Dec 2020 13:12:05 -0800 

Petri Tuomola created FINERACT-1282:
---------------------------------------

             Summary: Health actuator gives 404 when in oauth mode
                 Key: FINERACT-1282
                 URL: https://issues.apache.org/jira/browse/FINERACT-1282
             Project: Apache Fineract
          Issue Type: Bug
            Reporter: Petri Tuomola


As reported on the Dev mailing list, when you start Fineract in the oauth mode, 
the health actuator URL does not work - it returns 404 instead. 

This seems to be related to the TenantAwareTenantIdentifiedFilter:

If you look at securityContext, you can see that 
TenantAwareTenantIdentifierFilter is only applied in the “oauth” profile. It 
doesn’t get used in the basicauth scenario.
 
I think there are actually two different issues here:
 
1. TenantAwareTenantIdentifierFilter rejects the request to /actuator/health 
because it has no tenant identifier in it. But even if we work around this by 
adding a check for the specific path /fineract-provider/actuator/health and 
bypassing the check, we hit the next issue
 
2. In oauth profile, Spring does not register DispatcherServlet as it thinks it 
has already been registered. So even if the filter is bypassed, you end up with 
404 because there is no DispatcherServlet to route the call to the Spring 
Actuator.
 
I think the 2nd problem is because one of the filters used for oauth gets 
registered as a servlet filter - this seems to be default behaviour of Spring. 
See here for example:
 
"One last thing: In case you are using a custom authentication filter (e.g. for 
token based authentication) you might have to take care that you don't register 
your filter as a Servlet Filter as well. You can influence that by configuring 
a method returning a FilterRegistrationBean and accepting an instance of your 
Filter. just create a new FilterRegistrationBean for your filter and set 
enabled to false.” from 
[http://blog.florian-hopf.de/2017/08/spring-security.html]
 
But oauth / Spring Security is not my area of expertise, so would be great if 
someone with more knowledge could comment (and ideally, provide a fix)…
 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to