Hello, i caught strange behavior, when did disable anonymous() in WebSecurityConfigurerAdapter with oauth2ResourceServer().jwt() option. This setting throws an exception on startup: An AuthenticationManager is required. Used version: 2.2.4.RELEASE. The same settings work on 2.1.x.RELEASE
Yes, i understand, if specify a bean, the error will disappear, but this behavior seems strange.
public class AnonymousDisableApplication extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.anonymous()
.disable()
.oauth2ResourceServer()
.jwt()
;
}
}
Comment From: mbhave
This appears to be a side-effect of #17646. We hadn't considered this when we made that change.
@rwinch @jzheaux what's the best way to prevent generating a default password when the for a resource server without requiring the user to declare an AuthenticationManager in cases like this?
Comment From: shermende
Understood, thanks.
Comment From: jzheaux
@shermende it's possible that this is a bug in Spring Security. Would you mind logging a ticket there, so that we can take a look?