OAuth2ResourceServer using authenticationManagerResolver results in `tokenAuthenticationManager cannot be null` while startup

[aykborstelmann]

Describe the bug
When using oauth2ResourceServer with authenticationManagerResolver while having anonymous login disabled the application fails to startup with the following cause: This behavior only happens since spring boot 3.5.0 and spring-security 6.5.0. With spring-security 6.4.6 the application would startup without a problem.

Caused by: java.lang.IllegalArgumentException: tokenAuthenticationManager cannot be null
	at org.springframework.util.Assert.notNull(Assert.java:181) ~[spring-core-6.2.7.jar:6.2.7]
	at org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider.<init>(DPoPAuthenticationProvider.java:73) ~[spring-security-oauth2-resource-server-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.DPoPAuthenticationConfigurer.configure(DPoPAuthenticationConfigurer.java:79) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:288) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:147) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:398) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:352) ~[spring-security-config-6.5.0.jar:6.5.0]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.5.0.jar:6.5.0]
	at Application.defaultSecurityFilterChain(Application.java:45) ~[main/:na]

To Reproduce
Consider the following minimal application to reproduce the problem

@SpringBootApplication
@EnableWebSecurity
public class Application {

  public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
  }

  @Bean
  public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    return http.authorizeHttpRequests(auth -> auth.requestMatchers("/private").authenticated())
        .oauth2ResourceServer(
            oauth ->
                oauth.authenticationManagerResolver(
                    JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(
                        "http://localhost:4003/realms/app")))
        .anonymous(AbstractHttpConfigurer::disable)
        .build();
  }
}

Expected behavior
A startup without a problem.

Sample

The (exact same) sample (with a build.gradle) can be found at

https://github.com/aykborstelmann/spring-security-test-case

[Bisuko-chan]

Got the exact same issue today after the upgrade to Spring Boot 3.5.0, we rolled back the changes for now.

[mnhock]

Same here with a custom authenticationManagerResolver after upgrade to Spring Boot 3.5.0 and the intro of DPoP support in Spring Security.

  .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer
                            .authenticationManagerResolver(authenticationManagerResolver()))

[jgrandja]

Thanks for reporting this @aykborstelmann. I just pushed the fix.