[ https://issues.apache.org/jira/browse/FINERACT-1282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Petri Tuomola reassigned FINERACT-1282: --------------------------------------- Assignee: Petri Tuomola > Health actuator gives 404 when in oauth mode > -------------------------------------------- > > Key: FINERACT-1282 > URL: https://issues.apache.org/jira/browse/FINERACT-1282 > Project: Apache Fineract > Issue Type: Bug > Components: Security > Reporter: Petri Tuomola > Assignee: Petri Tuomola > Priority: Major > > As reported on the Dev mailing list, when you start Fineract in the oauth > mode, the health actuator URL does not work - it returns 404 instead. > This seems to be related to the TenantAwareTenantIdentifiedFilter: > If you look at securityContext, you can see that > TenantAwareTenantIdentifierFilter is only applied in the “oauth” profile. It > doesn’t get used in the basicauth scenario. > > I think there are actually two different issues here: > > 1. TenantAwareTenantIdentifierFilter rejects the request to /actuator/health > because it has no tenant identifier in it. But even if we work around this by > adding a check for the specific path /fineract-provider/actuator/health and > bypassing the check, we hit the next issue > > 2. In oauth profile, Spring does not register DispatcherServlet as it thinks > it has already been registered. So even if the filter is bypassed, you end up > with 404 because there is no DispatcherServlet to route the call to the > Spring Actuator. > > I think the 2nd problem is because one of the filters used for oauth gets > registered as a servlet filter - this seems to be default behaviour of > Spring. See here for example: > > "One last thing: In case you are using a custom authentication filter (e.g. > for token based authentication) you might have to take care that you don't > register your filter as a Servlet Filter as well. You can influence that by > configuring a method returning a FilterRegistrationBean and accepting an > instance of your Filter. just create a new FilterRegistrationBean for your > filter and set enabled to false.” from > [http://blog.florian-hopf.de/2017/08/spring-security.html] > > But oauth / Spring Security is not my area of expertise, so would be great if > someone with more knowledge could comment (and ideally, provide a fix)… > -- This message was sent by Atlassian Jira (v8.20.1#820001)