HttpServletRequestWrapper breaks secured Spring Boot actuators with Spring Security authentication

Question

HttpServletRequestWrapper breaks secured Spring Boot actuators with Spring Security authentication

Closed this issue 5 years ago · 0 comments

When the CAS HttpServletRequestWrapper is applied to all URIs (as it is in the latest versions of the auth plugin), it overrides the isUserInRole method to check the CAS assertion (and relevant to this bug does not subsequently delegate to the wrapped request). The Spring Boot Actuator security uses this method to check whether the user has the correct role (by default ACTUATOR).

When securing the actuator endpoints with Spring Security basic auth for, eg, monitoring purposes, this means the roles of the basic auth user are never discovered and monitoring requests are rejected with a 401 response.

Possible fixes might be:

Wrap the HttpServletRequestWrapper to add URI based exclusions.
Patch / override the HttpServletRequestWrapper to delegate to the wrapped request in case of failure. This would also allow ALA Admins to view the endpoints with appropriate configuration / role.