Basic auth is not working on lambda with Spring Boot #279
Labels
Milestone
Comments
|
I suspect the issue is caused by Spring Security trying to instantiate a session. We do not support sessions in the framework because of the stateless nature of Lambda. Take a look at how we configure SpringSecurity in our unit tests here. We also implemented additional fixes in the |
sapessi
added a commit
that referenced
this issue
Mar 31, 2020
…uest asynchronously. This was causing race conditions in the SpringBoot 2 WebFlux implementation - requests that had to run through security or validation filters took longer and the library flushed an empty request, which caused the status code to default to 200. This fix addresses issues #279, #304, and #306
sapessi
added a commit
that referenced
this issue
Apr 8, 2020
* Bump spring.version in /aws-serverless-java-container-spring (#319) Bumps `spring.version` from 5.1.9.RELEASE to 5.2.3.RELEASE. Updates `spring-webmvc` from 5.1.9.RELEASE to 5.2.3.RELEASE - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v5.2.3.RELEASE) Updates `spring-test` from 5.1.9.RELEASE to 5.2.3.RELEASE - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v5.2.3.RELEASE) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump spring-webflux in /aws-serverless-java-container-springboot2 (#318) Bumps [spring-webflux](https://github.com/spring-projects/spring-framework) from 5.1.9.RELEASE to 5.2.0.RELEASE. - [Release notes](https://github.com/spring-projects/spring-framework/releases) - [Commits](spring-projects/spring-framework@v5.1.9.RELEASE...v5.2.0.RELEASE) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci: Fixing Spring build to use 5.2 as latest * chore(deps): Bump Spring 5.1 path release to address a security vulnerability * chore(deps): Fixing usual spring dependency mess with exlusions out of the spring-security package used in the tests * Fix for issue #317 (#323) * fix issue 317 - use charset from request * update dependencies * update build dependencies, remove spring boot 2.0.x * restoring ci config Co-authored-by: Stefano Buliani <2996317+sapessi@users.noreply.github.com> * test: Fixed Spring security tests for SpringBoot 2, added validation tests and updated servlet tests to use the new servletApplication option * fix: Avoid flushing the response buffer if we are dispatching the request asynchronously. This was causing race conditions in the SpringBoot 2 WebFlux implementation - requests that had to run through security or validation filters took longer and the library flushed an empty request, which caused the status code to default to 200. This fix addresses issues #279, #304, and #306 * chore(deps): Bump spring dependency version and added webmvc optional dependency to truly support Servlet-only server * feat: New application type parameter to SpringBootLambdaContainerHandler that tells the framework whether to start a reactive or servlet-based embedded server. Also added a new servletApplication method to the builder object. * test: Fixed UTF-8 encoding test * ci: Fixed dependencies for CI run on SpringBoot 2 * ci: More Spring dependency convergence issues during CI * fix: Added null-check on getServerName in case the multi-value headers property is null. Unlikely outside of tests but better safe than sorry. This addresses #327 * fix: Changed servlet initialization mechanism so that servlet that requests load on startup are initialized right away, as part of the initialization() method call in LambdaServletContainerHandler. Also centralized the lazy Servlet initialization to the ServletExecutionFilter so that we don't have code scattered all around. This begins to address #287 * feat: Added new 0-parameter constructor for async initializer that uses the actual JVM start time to calculate the timeout milliseconds. Also added the new method to the builder object and deprecated the current method that receives a milliseconds epoch parameter. I'm not deprecating the constructor of the async initializer class that receives the parameter as it may still be useful for tests. This change was suggested in #287 * fix: Updated SpringBoot 1.x handler to use the new servlet initialization mechanism * ci: switch SpringBoot slow integration test to use a custom async time since the JVM is reused for both tests in the and we cannot reuse the actual JVM init time * feat: New models for HTTP API support for #329 * feat: First implementation of HTTP API servlet request, request reader, and security context writer - continuing to address #329 * test: Basic unit tests for the new HTTP API support in core library (#329) * feat: Updated log formatter to support both versions (1 and 2) of the proxy request model (#329) * feat: Further generified request readers to read to a generic HttpServletRequest rather than specific implementations of it. This makes it easier to create container handler implementations that support HTTP API, API Gateway, and ALB (#329) * test: Fixed tests for new logged and generified request readers * feat: Added HTTP API support to Jersey implementation with new getHttpApiV2ProxyHandler method (#329) * feat: Added HTTP API support to Spark implementation (#329) * feat: Added HTTP API support to Spring implementation (#329) * feat: HTTP API support in SpringBoot 2 implementation. bug: Fixed an issue with the implementation of AsyncContext where it wasn't dispatching if the handler wasn't set * feat: First pass of HTTP API support in struts 2 implementation (#329) * fix: Added support for HTTP APIs to the request dispatcher * chore(deps): Dependency bump all around. Rotated Jersey ci versions * fix: Updated stream handling logic to work with reactive applications as suggested in #316 * test: Added unit test to replicate #333 * feat: New configuration parameter to skip exception mapping and allow exception to bubble up from #307 * fix: Fixed spotbugs issue in RuntimeException cast * test: Added tests for more complex content types mentioned in issue #315 * docs: Updated samples to support SAM CLI operations out of the box to address #293 and switched to HTTP API by default * feat: Updated archetypes to work out of the box with the SAM CLI, continuing to address #293 * chore: License header pass on the entire project * fix: Set default value for setDisableException mapper in config to false * fix: Updated default initialization timeout to 20 seconds Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eran Medan <eranmeda@amazon.com>
|
Release 1.5 is making its way out to Maven central |
|
Hi everyone, was this fixed? I am getting the same error with the 1.5 version |
|
@estigma88 were you able to find a fix I am also getting the same error? |
|
I'll reopen #330 and work to replicate there. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Scenario
This is my SecurityConfiguration class:
Expected behavior
When I run the project locally it properly shows basic auth and I can authenticate and access my endpoints.
Actual behavior
However, when I deploy it to Lambda it returns HTTP code 500 and prints this:
The text was updated successfully, but these errors were encountered: