I'm having a problem with Spring Security and OAuth 2.0 on Google App Engine.
I set up OAuth using this tutorial and everything works fine locally. When accessing any endpoint other than "/" you're being redirected to Google login page.
Problem starts when I deploy application to Google App Engine.
Application keeps restarting and the logs aren't very clear. I tried setting up everything from scratch and I found that even when changing only pom.xml file and adding either spring-boot-starter-security or spring-boot-starter-oauth2-client dependency without adding any security related code causes application to restart.
I think it may be something related to security autoconfiguration, but I'm mostly .NET developer and I really have no clue how to even find this error.
What I expect is application to work as fine on GAE as it works locally.
My pom.xml file looks as follows:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>time-off-backend</artifactId>
<packaging>jar</packaging>
<name>time-off-backend</name>
<description>Time-off project</description>
<groupId>pl.devapo</groupId>
<version>1.0.0</version>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>11</java.version>
</properties>
<profiles>
<profile>
<id>cloud-gcp</id>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-gcp-starter</artifactId>
<version>1.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-gcp-starter-sql-mysql</artifactId>
<version>1.0.0.RELEASE</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>1.3.2</version>
</plugin>
</plugins>
</build>
</profile>
</profiles>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.4</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.4.200</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
<version>1.18.20</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
<version>2.4.4</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.9.2</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.9.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
<version>2.5.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.5.2</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<mainClass>
pl.devapo.timeoff.TimeOffApplication
</mainClass>
</configuration>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- todo delete-->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>11</source>
<target>11</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
app-test.yaml file:
runtime: java11
service: backend-test
entrypoint: java -Xmx64m -jar target/time-off-backend-1.0.0.jar --debug
env_variables:
SPRING_PROFILES_ACTIVE: "test"
DATABASE_USERNAME: ...
DATABASE_PASSWORD: ...
handlers:
- url: /.*
script: this field is required, but ignored
manual_scaling:
instances: 1
in my application.properties file I added these two lines:
spring.security.oauth2.client.registration.google.client-id=...
spring.security.oauth2.client.registration.google.client-secret=...
and finally my SecurityConfig.java file:
package pl.devapo.timeoff.config;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**").authorizeRequests()
.antMatchers(new String[]{"/", "/not-restricted"}).permitAll()
.anyRequest().authenticated()
.and()
.oauth2Login();
}
}
Logs look like this:
2021-07-20 17:07:56 backend-test[20210720t190541] . ____ _ __ _ _
2021-07-20 17:07:56 backend-test[20210720t190541] /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
2021-07-20 17:07:56 backend-test[20210720t190541] ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
2021-07-20 17:07:56 backend-test[20210720t190541] \\/ ___)| |_)| | | | | || (_| | ) ) ) )
2021-07-20 17:07:56 backend-test[20210720t190541] ' |____| .__|_| |_|_| |_\__, | / / / /
2021-07-20 17:07:56 backend-test[20210720t190541] =========|_|==============|___/=/_/_/_/
2021-07-20 17:07:56 backend-test[20210720t190541] :: Spring Boot :: (v2.4.4)
2021-07-20 17:07:56 backend-test[20210720t190541]
2021-07-20 17:07:57 backend-test[20210720t190541] 2021-07-20 17:07:57.024 INFO 10 --- [ main] pl.devapo.timeoff.TimeOffApplication : Starting TimeOffApplication using Java 11.0.11 on localhost with PID 10 (/workspace/target/time-off-backend-1.0.0.jar started by www-data in /workspace)
2021-07-20 17:07:57 backend-test[20210720t190541] 2021-07-20 17:07:57.028 INFO 10 --- [ main] pl.devapo.timeoff.TimeOffApplication : The following profiles are active: test
2021-07-20 17:07:58 backend-test[20210720t190541] 2021-07-20 17:07:58.759 INFO 10 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2021-07-20 17:07:58 backend-test[20210720t190541] 2021-07-20 17:07:58.919 INFO 10 --- [ main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 148 ms. Found 6 JPA repository interfaces.
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.006 INFO 10 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.024 INFO 10 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.024 INFO 10 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.44]
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.108 INFO 10 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.108 INFO 10 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2967 ms
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.836 INFO 10 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]
2021-07-20 17:08:00 backend-test[20210720t190541] 2021-07-20 17:08:00.929 INFO 10 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 5.4.29.Final
2021-07-20 17:08:01 backend-test[20210720t190541] 2021-07-20 17:08:01.162 INFO 10 --- [ main] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.2.Final}
2021-07-20 17:08:01 backend-test[20210720t190541] 2021-07-20 17:08:01.320 INFO 10 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2021-07-20 17:08:01 backend-test[20210720t190541] 2021-07-20 17:08:01.649 INFO 10 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed.
2021-07-20 17:08:01 backend-test[20210720t190541] 2021-07-20 17:08:01.705 INFO 10 --- [ main] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.H2Dialect
2021-07-20 17:08:03 backend-test[20210720t190541] 2021-07-20 17:08:03.478 INFO 10 --- [ main] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
2021-07-20 17:08:03 backend-test[20210720t190541] 2021-07-20 17:08:03.501 INFO 10 --- [ main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2021-07-20 17:08:04 backend-test[20210720t190541] 2021-07-20 17:08:04.444 WARN 10 --- [ main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning
2021-07-20 17:08:05 backend-test[20210720t190541] 2021-07-20 17:08:05.096 INFO 10 --- [ main] pertySourcedRequestMappingHandlerMapping : Mapped URL path [/v2/api-docs] onto method [springfox.documentation.swagger2.web.Swagger2Controller#getDocumentation(String, HttpServletRequest)]
2021-07-20 17:08:05 backend-test[20210720t190541] 2021-07-20 17:08:05.407 INFO 10 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.071 INFO 10 --- [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure Ant [pattern='/**'] with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@2ac519dc, org.springframework.security.web.context.SecurityContextPersistenceFilter@2b73bd6b, org.springframework.security.web.header.HeaderWriterFilter@5f0bab7e, org.springframework.security.web.csrf.CsrfFilter@1eb9a3ef, org.springframework.security.web.authentication.logout.LogoutFilter@2da81754, org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter@5e593b08, org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter@3946075, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@4998e74b, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@3d53e6f7, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@750ed637, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@18d11527, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@1de4bee0, org.springframework.security.web.session.SessionManagementFilter@337a6d30, org.springframework.security.web.access.ExceptionTranslationFilter@58fd1214, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@3fe512d2]
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.163 INFO 10 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.166 INFO 10 --- [ main] d.s.w.p.DocumentationPluginsBootstrapper : Context refreshed
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.244 INFO 10 --- [ main] d.s.w.p.DocumentationPluginsBootstrapper : Found 1 custom documentation plugin(s)
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.311 INFO 10 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet'
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.312 INFO 10 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet'
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.343 INFO 10 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 31 ms
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.346 INFO 10 --- [ main] s.d.s.w.s.ApiListingReferenceScanner : Scanning for api listing references
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.617 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: findUsingGET_1
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.620 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: getUsingGET_1
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.655 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: findUsingGET_2
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.657 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: getUsingGET_2
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.669 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: findUsingGET_3
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.671 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: getUsingGET_3
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.687 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: cancelUsingPOST_1
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.695 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: findUsingGET_4
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.697 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: getUsingGET_4
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.705 INFO 10 --- [ main] .d.s.w.r.o.CachingOperationNameGenerator : Generating unique operation named: saveUsingPOST_1
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.769 INFO 10 --- [ main] pl.devapo.timeoff.TimeOffApplication : Started TimeOffApplication in 10.578 seconds (JVM running for 11.602)
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.796 INFO 10 --- [extShutdownHook] o.s.s.concurrent.ThreadPoolTaskExecutor : Shutting down ExecutorService 'applicationTaskExecutor'
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.801 INFO 10 --- [extShutdownHook] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default'
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.804 INFO 10 --- [extShutdownHook] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown initiated...
2021-07-20 17:08:06 backend-test[20210720t190541] 2021-07-20 17:08:06.808 INFO 10 --- [extShutdownHook] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown completed.
2021-07-20 17:08:07 backend-test[20210720t190541] {"severity": "WARNING", "message": "App is listening on port 8080. We recommend your app listen on the port defined by the PORT environment variable to take advantage of an NGINX layer on port 8080."}\n
After reviewing logs in debug level we found out that GAE needs endpoint /_ah/start to start the application and since spring security autoconfiguration secures all endpoints by default you need to unsecure /_ah/start endpoint in order to make it work well on GAE.
So after adding these to our SecurityConfig configure method everything started working well:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/_ah/start").permitAll()
.and()
.antMatcher("/**").authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login();
}
}