[jira] [Updated] (FINERACT-1282) Health actuator gives 404 when in oauth mode

Sun, 17 Jan 2021 04:43:04 -0800 


     [ 
https://issues.apache.org/jira/browse/FINERACT-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Vorburger updated FINERACT-1282:
----------------------------------------
    Component/s: Security

> Health actuator gives 404 when in oauth mode
> --------------------------------------------
>
>                 Key: FINERACT-1282
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1282
>             Project: Apache Fineract
>          Issue Type: Bug
>          Components: Security
>            Reporter: Petri Tuomola
>            Priority: Major
>
> As reported on the Dev mailing list, when you start Fineract in the oauth 
> mode, the health actuator URL does not work - it returns 404 instead. 
> This seems to be related to the TenantAwareTenantIdentifiedFilter:
> If you look at securityContext, you can see that 
> TenantAwareTenantIdentifierFilter is only applied in the “oauth” profile. It 
> doesn’t get used in the basicauth scenario.
>  
> I think there are actually two different issues here:
>  
> 1. TenantAwareTenantIdentifierFilter rejects the request to /actuator/health 
> because it has no tenant identifier in it. But even if we work around this by 
> adding a check for the specific path /fineract-provider/actuator/health and 
> bypassing the check, we hit the next issue
>  
> 2. In oauth profile, Spring does not register DispatcherServlet as it thinks 
> it has already been registered. So even if the filter is bypassed, you end up 
> with 404 because there is no DispatcherServlet to route the call to the 
> Spring Actuator.
>  
> I think the 2nd problem is because one of the filters used for oauth gets 
> registered as a servlet filter - this seems to be default behaviour of 
> Spring. See here for example:
>  
> "One last thing: In case you are using a custom authentication filter (e.g. 
> for token based authentication) you might have to take care that you don't 
> register your filter as a Servlet Filter as well. You can influence that by 
> configuring a method returning a FilterRegistrationBean and accepting an 
> instance of your Filter. just create a new FilterRegistrationBean for your 
> filter and set enabled to false.” from 
> [http://blog.florian-hopf.de/2017/08/spring-security.html]
>  
> But oauth / Spring Security is not my area of expertise, so would be great if 
> someone with more knowledge could comment (and ideally, provide a fix)…
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to