When calling the REST API with a Bearer token, the Principal object is always null

[waltersve]

Hi,
I’m setting up Spring Cloud Gateway as both an OAuth2/OIDC client (for my SPA) and a resource server, following the guide here: https://github.com/ch4mpy/spring-addons/tree/master/spring-addons-starter-oidc#3-3. The client setup works perfectly (thanks for the great addon!), but on the resource-server side I’m running into an issue: the Principal is always null. When I debug, it looks like the wrong security filter chain is being applied (it’s invoking CsrfWebFilter and trying to resolve the security context from a WebSession).

...
[c.ServerCsrfTokenRequestAttributeHandler] : Wrote a CSRF token to the [org.springframework.security.web.server.csrf.CsrfToken] exchange attribute
...
[ebSessionServerSecurityContextRepository] : No SecurityContext found in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@2e82da2a'
 ....

This is my config:

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
          - iss: https://acme.com/iam/auth/realms/72d55467-32e8-4e63-84f5-fcd2f1391012
            username-claim: $.preferred_username
            authorities:
              - path: $.roles
        client:
          client-uri: ${server-base-url}
          security-matchers:
            - /login/**
            - /oauth2/**
            - /logout
            - /ui/**
          permit-all:
            - /login/**
            - /oauth2/**
            - /public-ui/**
          back-channel-logout:
            enabled: true
          csrf: cookie_accessible_from_js
        resourceserver:
          permit-all:
            - /public-api/**
            - /*.js
            - /*.html
            - /*.eot
            - /*.ttf
            - /static/**
            - /assets/**
          csrf: disable
          enabled: true
          statless-sessions: true

The API request is a simple GET http://localhost:7070/registry-api/v2/cfcb4358-707f-443b-8f0d-a401a2cc4112/twins

I can also see in the log that the no route is matching and I would assume according to the docu that resourceserver chain will be used.

[18:26:53.204] [DEBUG] [tp2036431933-51] [o.s.s.w.s.u.m.OrServerWebExchangeMatcher] : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login/**', method=null}
[18:26:53.204] [DEBUG] [tp2036431933-51] [athPatternParserServerWebExchangeMatcher] : Request 'GET /registry-api/v2/cfcb4358-707f-443b-8f0d-a401a2cc4112/twins' doesn't match 'null /login/**'
[18:26:53.205] [DEBUG] [tp2036431933-51] [o.s.s.w.s.u.m.OrServerWebExchangeMatcher] : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/oauth2/**', method=null}
[18:26:53.205] [DEBUG] [tp2036431933-51] [athPatternParserServerWebExchangeMatcher] : Request 'GET /registry-api/v2/cfcb4358-707f-443b-8f0d-a401a2cc4112/twins' doesn't match 'null /oauth2/**'
[18:26:53.205] [DEBUG] [tp2036431933-51] [o.s.s.w.s.u.m.OrServerWebExchangeMatcher] : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=null}
[18:26:53.206] [DEBUG] [tp2036431933-51] [athPatternParserServerWebExchangeMatcher] : Request 'GET /registry-api/v2/cfcb4358-707f-443b-8f0d-a401a2cc4112/twins' doesn't match 'null /logout'
[18:26:53.206] [DEBUG] [tp2036431933-51] [o.s.s.w.s.u.m.OrServerWebExchangeMatcher] : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/ui/**', method=null}
[18:26:53.206] [DEBUG] [tp2036431933-51] [athPatternParserServerWebExchangeMatcher] : Request 'GET /registry-api/v2/cfcb4358-707f-443b-8f0d-a401a2cc4112/twins' doesn't match 'null /ui/**'
[18:26:53.206] [DEBUG] [tp2036431933-51] [o.s.s.w.s.u.m.OrServerWebExchangeMatcher] : No matches found

Do you have any suggestions or pointers I could follow? I’d greatly appreciate any help.

[ch4mpy]

Do you have spring-boot-starter-oauth2-resource-server on the classpath?

As a side note, on a gateway, you should not authorize requests to downstream resource servers with an oauth2ResourceServer filter chain. You should do it with the oauth2Login filter chain (the "client" filter chain in spring-addons-starter-oidc) and use the TokenRelay= filter to bridge from session cookie authorization (for the UI) to Bearer authorization (for downstream services). The resource server filter chain should be used only for the REST resources served by the gateway itself (actuator, OpenAPI spec, ...) and public resources. I described that in this article: https://www.baeldung.com/spring-cloud-gateway-bff-oauth2.

[waltersve]

Yes spring-boot-starter-oauth2-resource-server is on the class path (version 3.5.0). I set up the routing in the first version as you described routing internally with the filter. Currently I have a custom filter registered for the server (REST API) chain which takes a BearerTokenAuthentication or a OAuth2AuthenticationToken and creates and pushes downstream an internal JWT.

[ch4mpy]

If both spring-boot-starter-oauth2-resource-server and spring-addons-starter-oidc are on the classpath, then an oauth2ResourceServer filter chain with lowest precedence and no security-matcher should be exposed. It is used only if no other filter chain with higher precedence intercepts the request. Here, the "client" filter chain won't, but if you defined a filter chain yourself (or activated Spring Boot one), then maybe the oauth2ResourceServer filter chain by spring-addons is never reached.

Please add the code for any Java configuration you have. Is your project source accessible somewhere?

[waltersve]

You’re absolutely right. Yesterday evening I discovered that a custom filter definition was causing the issue once I removed it, token validation worked as expected. I still need to see whether I can eliminate the custom logout handler in the chain (it was required to prevent errors when logging out), but I suspect adding the missing configuration option would achieve the same result. Unfortunately, the code isn’t publicly available.

[waltersve]

Still struggling with two things:

• If I configure an additional bean to configure a SecurityWebFilterChain e.g. CRSF headers the other are not working any more () . The order is set:

@Bean
@Order( Ordered.HIGHEST_PRECEDENCE )
SecurityWebFilterChain apiTokenFilterChain( ServerHttpSecurity http, ApiGatewaySecurityProperties apiGatewaySecurityProperties ) {
      return http.csrf( csrfCustomizer -> csrf( csrfCustomizer, "host-test" ) ).build();
}

If that is defined, e.g. I`m getting the following response in the UI after clicked login:

{"error":{"path":"/oauth2/authorization/macma","message":"No static resource oauth2/authorization/macma."}}

• The default security header (filter) is not set, if that is define as global filter

spring:
  cloud:
    gateway:
      server:
        webflux:
          enabled: true
          filter:
            secure-headers:
              referrer-policy: "no-referrer"
              content-security-policy: "..."

[waltersve]

... I did the following to apply the configurartion:

   @Bean
   ClientReactiveHttpSecurityPostProcessor cspExchangeClientSpecPostProcessor( SecureHeadersProperties secureHeadersProperties ) {
      return ( ServerHttpSecurity http ) -> http
            .headers( headers -> headers
                  .contentSecurityPolicy( csp -> csp
                        .policyDirectives( secureHeadersProperties.getContentSecurityPolicy() )
                  )
            );
   }

   @Bean
   ResourceServerReactiveHttpSecurityPostProcessor cspExchangeResourceServerSpecPostProcessor( SecureHeadersProperties secureHeadersProperties ) {
      return ( ServerHttpSecurity http ) -> http
            .headers( headers -> headers
                  .contentSecurityPolicy( csp -> csp
                        .policyDirectives( secureHeadersProperties.getContentSecurityPolicy() )
                  )
            );
   }

Not sure this is workaround for a miss-configuration I did :) or intended to do so because have registered it as global filter would expected I have nothing todo in addition ???

[ch4mpy]

A few things:

• Unless using a Java version below 21 (without virtual threads), you should consider using the servlet version of the gateway.
• A request is processed with only one Security(Web)FilterChain. When defining several, all but the last one in @Order must contain a securityMatcher statement for the next ones to have a chance to be tried
• CSRF attack vector is sessions. You don't want protection against CSRF in a stateless filter-chain (oauth2ResourceServer or disabled security)

Sample conf in this other discussion