Tigase Forge
Dashboards
Projects
Global Views
Code Search
sztab
Issues
List
Boards
Iterations
Builds
Statistics
Child Projects
OneDev 11.9.7
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects sztab Issues SZ-20
Basic Auth fails with HTTP 401 due to missing PasswordEncoder wiring (SZ-20)
rk@tigase.net opened 1 day ago

Problem

Sztab backend (v1.2) fails to authenticate the admin user via HTTP Basic Auth when running via Docker Compose, even though:

  • The database contains the correct BCrypt hash for the admin password.
  • The PasswordEncoder bean is correctly declared in BasicAuthSecurityConfig.

Root Cause

The JdbcUserDetailsManager bean is not explicitly wired to the PasswordEncoder, so Spring Security may use the default (noop) encoder during authentication, leading to password mismatch.

Logs

curl -v -u admin:admin123 http://localhost:8080/api/users
...
< HTTP/1.1 401

Workaround

No temporary workaround unless Spring autowires correctly via global context — behavior is unpredictable and environment-dependent.

Fix Plan

Inject the PasswordEncoder into JdbcUserDetailsManager explicitly in BasicAuthSecurityConfig:

@Bean
public JdbcUserDetailsManager userDetailsService(final DataSource dataSource,
                                                 final PasswordEncoder passwordEncoder) {
    JdbcUserDetailsManager manager = new JdbcUserDetailsManager(dataSource);
    manager.setPasswordEncoder(passwordEncoder);
    return manager;
}

Impact

Only affects Basic Auth login for users stored in the DB (e.g., admin). All other functionality remains unaffected.

  • rk@tigase.net changed state to 'In Progress' 1 day ago
    Previous Value Current Value 
    Open
    		 
    In Progress
  • rk@tigase.net commented 1 day ago

    Estimated Time: 1h30m
    Actual Time Logged: TBD (after fix)

  • rk@tigase.net commented 8 hours ago

    Work Log for SZ-20: Enable Basic Auth with JDBC-backed UserDetailsService

    Timeline

    • 2025-10-22: Issue created to address 401 Unauthorized errors despite correct credentials.
    • 2025-10-23:
      • Implemented CustomUserDetailsService backed by Spring Data JPA.
      • Updated BasicAuthSecurityConfig to use JDBC authentication and PasswordEncoder.
      • Added role-based access using @PreAuthorize and verified /api/users requires ROLE_ADMIN.
      • Verified login behavior via curl -u admin@sztab.local:admin123 on /api/users.
    • 2025-10-24:
      • Verified account creation and role assignment via POST /api/users.
      • Diagnosed and resolved TransientObjectException by passing role id in payload instead of just name.
      • Used curl to list roles and confirm IDs.
      • Added MarkdownViewController and /docs/index.html as static endpoint for testing public access.
      • Implemented and verified unit tests for CustomUserDetailsService.
      • Merged branch bugfix/sz20-basic-auth-yields-401 to wolnosc.

    Technical Changes

    • Created CustomUserDetailsService.java to load users and roles from database.
    • Updated Spring Security config (BasicAuthSecurityConfig.java) to:
      • Use UserDetailsService
      • Encode passwords using BCryptPasswordEncoder
      • Permit actuator endpoints and static docs without authentication
    • Cleaned up application.yml to use properties appropriate for JDBC auth
    • Verified via curl that:
      • Basic Auth protects /api/** endpoints
      • Role-based restrictions are enforced
      • New users can be created with valid credentials
    • Ensured new controller (/docs/**) is public

    Resolution

    Basic Authentication is now enabled and functional using a JDBC-backed UserDetailsService.
    Test coverage added for the service, and curl calls verified successful user creation and protection of endpoints.
    Branch bugfix/sz20-basic-auth-yields-401 merged to wolnosc.

    No version bump needed as this does not introduce any new externally visible features — internal correctness fix only.

  • rk@tigase.net commented 8 hours ago

    Resolved.

    Final implementation uses a JDBC-backed UserDetailsService and fully verifies Basic Auth with curl-based user creation, login, and role retrieval.

    I originally estimated 2 hours but ended up spending ~7 hours, including time on a now-suspended UT approach. This helped clarify some Spring Security profile behavior, and I’ll factor this into future estimates.

    Changes merged into wolnosc.

  • rk@tigase.net changed state to 'Closed' 8 hours ago
    Previous Value Current Value 
    In Progress
    		 
    Closed
  • rk@tigase.net referenced from other issue 8 hours ago
    Login window when running with Docker compose (SZ-21)
    In Progress
issue 1 of 1
Type
Bug
Priority
Normal
Assignee
rk@tigase.net
Version
1.0
Sprints
n/a
Customer
n/a
Issue Votes (0)
Login to vote
Watchers (3)
Reference
SZ-20
Please wait...
Page is in error, reload to recover