Skip to content

using webflux in the controllers breaks mvc spring security SecurityFilterChain #486

New issue
New issue
Open
Open
using webflux in the controllers breaks mvc spring security SecurityFilterChain#486
Assignees
paul58914080
@dev-wealthpilot

Description

@dev-wealthpilot
dev-wealthpilot
opened on Nov 15, 2024

Describe the bug
Some of the controllers return a ResponseEntity<Flux<...>> object. This makes the whole call asynchronous which then leads to the problem that the SecurityFilterChain loses the authentication information.
Normally this is mitigated by enabling @EnableWebFluxSecurity - but this breaks mvc applications.

To Reproduce
Steps to reproduce the behavior:

use mvc application and create SecurityFilterChain that requires login, then try to protect ff4j REST calls

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
        ...configure authentication 
        .authorizeHttpRequests(authorize -> authorize
                                        ...
                                        .requestMatchers("/api/ff4j/**").hasAuthority("ROLE_ADMIN")
                                        ...
                                        );

Expected behavior
when logged in with ROLE_ADMIN then access to /api/ff4j/** should be granted.
Actual behaviour is that access is always denied because of webflux usage in the ff4j rest apis

this worked in pre 2.x versions

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions