Skip to content

Application startup failure #505

New issue
New issue
Closed
#540
Closed
Application startup failure#505
#540
@Flame239

Description

@Flame239
Flame239
opened on Dec 12, 2022

I'm submitting a

  • bug report

Background info

Application startup fails if no oauth2ResourceServer() in custom SecurityFilterChain

Reported as well for sample-java-spring app : okta/samples-java-spring#151

Expected behavior

Application starts up successfully

What went wrong?

Exception 
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.NullPointerException: Cannot invoke "Object.getClass()" because "o" is null
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:658) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:486) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1352) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1195) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:322) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:955) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:918) ~[spring-context-5.3.23.jar:5.3.23]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:583) ~[spring-context-5.3.23.jar:5.3.23]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:147) ~[spring-boot-2.7.5.jar:2.7.5]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:734) ~[spring-boot-2.7.5.jar:2.7.5]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:408) ~[spring-boot-2.7.5.jar:2.7.5]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:308) ~[spring-boot-2.7.5.jar:2.7.5]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306) ~[spring-boot-2.7.5.jar:2.7.5]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1295) ~[spring-boot-2.7.5.jar:2.7.5]
	at com.okta.spring.example.CodeFlowExampleApplication.main(CodeFlowExampleApplication.java:22) ~[classes/:na]
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:578) ~[na:na]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) ~[spring-boot-devtools-2.7.5.jar:2.7.5]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.NullPointerException: Cannot invoke "Object.getClass()" because "o" is null
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.3.23.jar:5.3.23]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.23.jar:5.3.23]
	... 24 common frames omitted
Caused by: java.lang.NullPointerException: Cannot invoke "Object.getClass()" because "o" is null
	at java.base/jdk.internal.reflect.MethodHandleFieldAccessorImpl.ensureObj(MethodHandleFieldAccessorImpl.java:62) ~[na:na]
	at java.base/jdk.internal.reflect.MethodHandleObjectFieldAccessorImpl.set(MethodHandleObjectFieldAccessorImpl.java:101) ~[na:na]
	at java.base/java.lang.reflect.Field.set(Field.java:820) ~[na:na]
	at com.okta.spring.boot.oauth.OktaOAuth2Configurer.lambda$unsetJwtConfigurer$1(OktaOAuth2Configurer.java:155) ~[okta-spring-security-oauth2-2.1.6.jar:2.1.6]
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) ~[na:na]
	at com.okta.spring.boot.oauth.OktaOAuth2Configurer.unsetJwtConfigurer(OktaOAuth2Configurer.java:149) ~[okta-spring-security-oauth2-2.1.6.jar:2.1.6]
	at com.okta.spring.boot.oauth.OktaOAuth2Configurer.configureResourceServerForOpaqueTokenValidation(OktaOAuth2Configurer.java:191) ~[okta-spring-security-oauth2-2.1.6.jar:2.1.6]
	at com.okta.spring.boot.oauth.OktaOAuth2Configurer.init(OktaOAuth2Configurer.java:77) ~[okta-spring-security-oauth2-2.1.6.jar:2.1.6]
	at com.okta.spring.boot.oauth.OktaOAuth2Configurer.init(OktaOAuth2Configurer.java:40) ~[okta-spring-security-oauth2-2.1.6.jar:2.1.6]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:338) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:300) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:313) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:88) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:305) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-5.7.4.jar:5.7.4]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:125) ~[spring-security-config-5.7.4.jar:5.7.4]
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:578) ~[na:na]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.23.jar:5.3.23]
	... 25 common frames omitted

Apparently, OktaOAuth2Configurer tries to configure OAuth2ResourceServerConfigurer even though its not present in HttpSecurity as we declare only oauth2Client() and oauth2Login() in our WebConfig.

Adding .and().oauth2ResourceServer() fixes the issue, but what if I don't want resource server?
There is a situation where I switch between Okta and another security config (with another SecurityFilterChain not related to oauth2) and it doesn't work.

Steps to reproduce

Run okta-hosted-login sample java app

SDK Version

okta-spring-boot-starter:2.1.6

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions