Issue
I'm migrating Spring Boot 1.4.1 -> 2.1.18 It seems to be working (this is a Kafka app, the logs look good).
But I cannot make the actuator serve any endpoints no matter what.
It always looks like this:
http://127.0.0.1:8081/health
or http://127.0.0.1:8081/actuator/health
or http://127.0.0.1:8081/actuator/info
or http://127.0.0.1:8081/info
or whatever it's always the response:
{"error":"invalid token","message":"Failed to obtain token from request. 'Authorization' header field must be set.","path":"/health","status":401,"timestamp":"2022-08-23T01:45:07.124Z"}
In the logs it looks like this (the endpoint I try to invoke changes of course, but the logs show the same behavior):
2022-08-22T17:03:12.313Z DEBUG --- [http-nio-8081-exec-6] o.a.c.h.Http11InputBuffer : Received [GET /health HTTP/1.1
Host: 100.97.249.239:8081
User-Agent: kube-probe/1.19
Accept-Encoding: gzip
Connection: close
]
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.a.c.a.AuthenticatorBase : Security checking request GET /health
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.a.c.r.RealmBase : No applicable constraints defined
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.a.c.a.AuthenticatorBase : Not subject to any constraint
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.FilterChainProxy : /health at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.FilterChainProxy : /health at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.FilterChainProxy : /health at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.FilterChainProxy : /health at position 4 of 14 in additional filter chain; firing Filter: 'AuthExceptionHandlerFilter'
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.FilterChainProxy : /health at position 5 of 14 in additional filter chain; firing Filter: 'KeycloakPreAuthActionsFilter'
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.h.w.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@62a657b0
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.a.c.h.Http11Processor : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@38ddeb43:org.apache.tomcat.util.net.NioChannel@2efea784:java.nio.channels.SocketChannel[connected local=/100.97.249.239:8081 remote=/172.16.23.76:39510]], Status in: [OPEN_READ], State out: [CLOSED]
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.a.t.u.t.LimitLatch : Counting down[http-nio-8081-exec-6] latch=8
2022-08-22T17:03:12.314Z DEBUG --- [http-nio-8081-exec-6] o.a.t.u.n.NioEndpoint : Calling [org.apache.tomcat.util.net.NioEndpoint@2ceceb98].closeSocket([org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@38ddeb43:org.apache.tomcat.util.net.NioChannel@2efea784:java.nio.channels.SocketChannel[connected local=/100.97.249.239:8081 remote=/172.16.23.76:39510]])
2022-08-22T17:03:12.403Z DEBUG --- [http-nio-8080-ClientPoller] o.a.t.u.n.NioEndpoint : timeout completed: keys processed=0; now=1661187792403; nextExpiration=1661187792402; keyCount=0; hasEvents=false; eval=false
2022-08-22T17:03:12.595Z DEBUG --- [http-nio-8081-exec-7] o.a.c.h.Http11InputBuffer : Before fill(): [true], parsingRequestLine: [true], parsingRequestLinePhase: [0], parsingRequestLineStart: [0], byteBuffer.position() [0]
2022-08-22T17:03:12.595Z DEBUG --- [http-nio-8081-exec-7] o.a.t.u.n.SocketWrapperBase : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@212bc591:org.apache.tomcat.util.net.NioChannel@3d2834f8:java.nio.channels.SocketChannel[connected local=/100.97.249.239:8081 remote=/100.98.123.19:49114]], Read from buffer: [0]
2022-08-22T17:03:12.595Z DEBUG --- [http-nio-8081-exec-7] o.a.t.u.n.NioEndpoint : Socket: [org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@212bc591:org.apache.tomcat.util.net.NioChannel@3d2834f8:java.nio.channels.SocketChannel[connected local=/100.97.249.239:8081 remote=/100.98.123.19:49114]], Read direct from socket: [293]
I even don't have the default endpoints like health
or info
working.
I tried different configs and basically all approaches I found on the Internet.
I also see that my configs are read by Spring Boot in the logs.
From these logs I think it's not a security problem, and HTTP 401 is a Spring Boot thing to avoid showing HTTP 404 to an unauthorized user.
But I don't see any lines showing mapped
word from WebMvcEndpointHandlerMapping
unlike in the logs examples of which I found.
I really suspect that no endpoint mappings really happening. I found these lines in the logs:
Did not match:
- @ConditionalOnEnabledResourceChain did not find class org.webjars.WebJarAssetLocator (OnEnabledResourceChainCondition)
WebMvcAutoConfiguration.WebMvcAutoConfigurationAdapter#beanNameViewResolver:
Did not match:
- @ConditionalOnMissingBean (types: org.springframework.web.servlet.view.BeanNameViewResolver; SearchStrategy: all) found beans of type 'org.springframework.web.servlet.view.BeanNameViewResolver' beanNameViewResolver (OnBeanCondition)
WebMvcAutoConfiguration.WebMvcAutoConfigurationAdapter#localeResolver:
Did not match:
- @ConditionalOnProperty (spring.mvc.locale) did not find property 'locale' (OnPropertyCondition)
...
Tomcat started on port(s): 8080 (http) with context path ''
...
Exposing 16 endpoint(s) beneath base path '/actuator'
### NOTHING ABOUT WHAT ENDPOINTS
...
o.s.w.s.m.m.a.RequestMappingHandlerMapping : 1 mappings in 'requestMappingHandlerMapping'
...
Tomcat started on port(s): 8081 (http) with context path ''
Where could I look at? What else can I try? Pretty desperate at this point...
My application.yaml
:
management:
server:
port: 8081
security:
enabled: false
endpoint:
health:
enabled: true
prometheus:
enabled: true
metrics:
enabled: true
endpoints:
web:
exposure:
include: "*"
metrics:
export:
prometheus:
enabled: true
my pom.xml
has
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-prometheus</artifactId>
<scope>runtime</scope>
</dependency>
Solution
401 actually meant the permission problem, and I couldn't get rid of it for a while, but after getting rid of the legacy libraries I was able to expose the endpoint with this:
public class CustomSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
.antMatchers("/**").hasRole("USER")
.and()
.httpBasic();
}
This is probably my own problem due to the dependency hell I ended up, but I hope it'll help someone sometime.
Answered By - Battle_Slug
Answer Checked By - Willingham (JavaFixing Volunteer)