You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@fineract.apache.org by reza sohbati <so...@gmail.com> on 2020/10/07 11:26:47 UTC

actuator/health does not work in 'oauth' build

Hello everyone

When I build the Fineract with -Psecurity=oauth argument, everything is OK
but the actuator health API does not return the proper value.
I try to call this API :
*           fineract-provider/actuator/health*

Thank you

Re: actuator/health does not work in 'oauth' build

Posted by Petri Tuomola <pe...@tuomola.org>.

Yes - if you look at securityContext, you can see that TenantAwareTenantIdentifierFilter is only applied in the “oauth” profile. It doesn’t get used in the basicauth scenario.

I think there are actually two different issues here:

1. TenantAwareTenantIdentifierFilter rejects the request to /actuator/health because it has no tenant identifier in it. But even if we work around this by adding a check for the specific path /fineract-provider/actuator/health and bypassing the check, we hit the next issue

2. In oauth profile, Spring does not register DispatcherServlet as it thinks it has already been registered. So even if the filter is bypassed, you end up with 404 because there is no DispatcherServlet to route the call to the Spring Actuator.

I think the 2nd problem is because one of the filters used for oauth gets registered as a servlet filter - this seems to be default behaviour of Spring. See here for example:

"One last thing: In case you are using a custom authentication filter (e.g. for token based authentication) you might have to take care that you don't register your filter as a Servlet Filter as well. You can influence that by configuring a method returning a FilterRegistrationBean and accepting an instance of your Filter. just create a new FilterRegistrationBean for your filter and set enabled to false.” from http://blog.florian-hopf.de/2017/08/spring-security.html <http://blog.florian-hopf.de/2017/08/spring-security.html>

But oauth / Spring Security is not my area of expertise, so would be great if someone with more knowledge could comment (and ideally, provide a fix)…

Regards
Petri

> On 8 Oct 2020, at 11:44 PM, reza sohbati <so...@gmail.com> wrote:
> 
> Thank you for your response.
> I ran the code with the basic profile and I put the breakpoint in TenantAwareBasicAuthenticationFilter.java class. by calling /actuator/health I realized that this filter does not execute in the actuator endpoints, But in oauth profile mode the filer TenantAwareTenantIdentifierFilter.java executes.
> I think maybe the problem is in securityContext.xml configuration. I checked it but I couldn't find out any differences.
> 
> 
> On Thu, Oct 8, 2020 at 6:58 AM Petri Tuomola <petri@tuomola.org <ma...@tuomola.org>> wrote:
> I took a quick look at this: I think the problem is that TenantAwareTenantIdentifierFilter rejects the request with InvalidTenantIdentiferException because the URL (/fineract-provider/actuator/health) does not have a tenant identifier. 
> 
> I’m not an expert on Spring Security, but I’m assuming this means the custom-filter tag in securityContext that we use to insert the TenantAwareTenantIdentifierFilter doesn’t actually “respect” the URL pattern specified in the enclosing http tags: i.e. the custom filter gets inserted to the filter chain for all URLs, not for ones matching the specific URL pattern. 
> 
> Regards
> Petri
> 
>> On 7 Oct 2020, at 10:31 PM, Yemdjih Kaze Nasser <kazenasser@gmail.com <ma...@gmail.com>> wrote:
>> 
>> Hi,
>> 
>> What does the call to actuator/health return?
>> 
>> On Wed, Oct 7, 2020 at 12:27 PM reza sohbati <sohbati@gmail.com <ma...@gmail.com>> wrote:
>> Hello everyone
>> 
>> When I build the Fineract with -Psecurity=oauth argument, everything is OK but the actuator health API does not return the proper value.
>> I try to call this API : 
>>            fineract-provider/actuator/health
>> 
>> Thank you
>> 
>> 
>

Re: actuator/health does not work in 'oauth' build

Posted by reza sohbati <so...@gmail.com>.

Thank you for your response.
I ran the code with the basic profile and I put the breakpoint in
*TenantAwareBasicAuthenticationFilter*.*java* class. by
calling /actuator/health I realized that this filter does not execute in
the actuator endpoints, But in oauth profile mode the filer
*TenantAwareTenantIdentifierFilter.java* executes.
I think maybe the problem is in *securityContext.xml* configuration. I
checked it but I couldn't find out any differences.

On Thu, Oct 8, 2020 at 6:58 AM Petri Tuomola <pe...@tuomola.org> wrote:

> I took a quick look at this: I think the problem is that
> TenantAwareTenantIdentifierFilter rejects the request with
> InvalidTenantIdentiferException because the URL
> (/fineract-provider/actuator/health) does not have a tenant identifier.
>
> I’m not an expert on Spring Security, but I’m assuming this means the
> custom-filter tag in securityContext that we use to insert the
> TenantAwareTenantIdentifierFilter doesn’t actually “respect” the URL
> pattern specified in the enclosing http tags: i.e. the custom filter gets
> inserted to the filter chain for all URLs, not for ones matching the
> specific URL pattern.
>
> Regards
> Petri
>
> On 7 Oct 2020, at 10:31 PM, Yemdjih Kaze Nasser <ka...@gmail.com>
> wrote:
>
> Hi,
>
> What does the call to actuator/health return?
>
> On Wed, Oct 7, 2020 at 12:27 PM reza sohbati <so...@gmail.com> wrote:
>
>> Hello everyone
>>
>> When I build the Fineract with -Psecurity=oauth argument, everything
>> is OK but the actuator health API does not return the proper value.
>> I try to call this API :
>> *           fineract-provider/actuator/health*
>>
>> Thank you
>>
>>
>>
>

Re: actuator/health does not work in 'oauth' build

Posted by Petri Tuomola <pe...@tuomola.org>.

I took a quick look at this: I think the problem is that TenantAwareTenantIdentifierFilter rejects the request with InvalidTenantIdentiferException because the URL (/fineract-provider/actuator/health) does not have a tenant identifier. 

I’m not an expert on Spring Security, but I’m assuming this means the custom-filter tag in securityContext that we use to insert the TenantAwareTenantIdentifierFilter doesn’t actually “respect” the URL pattern specified in the enclosing http tags: i.e. the custom filter gets inserted to the filter chain for all URLs, not for ones matching the specific URL pattern. 

Regards
Petri

> On 7 Oct 2020, at 10:31 PM, Yemdjih Kaze Nasser <ka...@gmail.com> wrote:
> 
> Hi,
> 
> What does the call to actuator/health return?
> 
> On Wed, Oct 7, 2020 at 12:27 PM reza sohbati <sohbati@gmail.com <ma...@gmail.com>> wrote:
> Hello everyone
> 
> When I build the Fineract with -Psecurity=oauth argument, everything is OK but the actuator health API does not return the proper value.
> I try to call this API : 
>            fineract-provider/actuator/health
> 
> Thank you
> 
>

Re: actuator/health does not work in 'oauth' build

Posted by Yemdjih Kaze Nasser <ka...@gmail.com>.

Hi,

What does the call to actuator/health return?

On Wed, Oct 7, 2020 at 12:27 PM reza sohbati <so...@gmail.com> wrote:

> Hello everyone
>
> When I build the Fineract with -Psecurity=oauth argument, everything is OK
> but the actuator health API does not return the proper value.
> I try to call this API :
> *           fineract-provider/actuator/health*
>
> Thank you
>
>
>