spring-projects / spring-security-samples Goto Github PK

View Code? Open in Web Editor NEW

1.2K 20.0 629.0 1.47 MB

Shell 0.31% Java 91.65% HTML 6.42% Kotlin 1.59% CSS 0.02%

spring-security-samples's Introduction

Samples for https://github.com/spring-projects/spring-security

Samples catalog

Getting Started

Hello Security - Spring Boot | WebFlux | WebFlux.fn | Java Configuration | XML | Kotlin | WebFlux Kotlin | RSocket
Hello Security (without Spring MVC) - Java Configuration
Hello Security with Explicit Configuration - Spring Boot | WebFlux | Java Configuration
Method Security - WebFlux
Spring Data Integration - Java Configuration
Max Sessions - Java Configuration
AspectJ Security Configuration - Java Configuration

OAuth 2.0

Authorization Server
Login - Spring Boot | WebFlux
Resource Server
- Hello Security - Spring Boot | WebFlux
- JSON Web Encryption (JWE)
- Multi-tenancy
- Opaque Token
- Static
WebClient - Spring Boot | WebFlux

SAML 2.0

Authentication

Pre-authentication
Remember-me
Username and password
- Form Login - Java Configuration | WebFlux
- In-memory UserDetailsService
- JDBC
- LDAP
- Multi-factor authentication
- Custom UserDetails
X.509 - Java Configuration | WebFlux

JWT

spring-security-samples's People

Contributors

Stargazers

Watchers

Forkers

rwinch liulong1010 stjordanis ai2hub global-localhost global19 global19-atlassian-net githanter quantum-adrenaline-1 dreamsrj jmccar alanbinu007 jgrandja aasthasethia keeplearningandtrying akkaxdxd amoffet shirosaki bavariablue marcusdacoregio darrenforsythe mcxd markovfedor sjohnr xpeteliu blueoceandevops jy-fourfire entrenamientodevops cwss2004-0405 giorne sunzheng2017 zhichengliu12581 soupal naichuan-zhang daydreamerli freestl chencongping fanhualei hsiaohao pdibenedetto ubunfu ioannispanges kenschwartz zjingsh90 xumumi 156420591 vestigegroup ivanzebra renatopassos aggapino shibenxia amrkhalednowahy rajeshhazari 1024kbfree help-lixin rwindwh denday04 danielgeb sren0130 chiungjucheng tommas1988 haijiechen revseev sk-xfy eleftherias lzqjsk alfredfzw nbnbnb hailunfei jcsturges sanmaru giger85 asiatao nemadroshan fengjidong havinhphu188 cklxl email450999788 jhonataribeiro dbgupta2 gabrielkuhn 419990068 chexingchun houxiaoyi0722 logantect gggitpl buzzardo wwdz540 isabella232 lanaflonform akolchin jiangchen1996 mgcarvalheiro yuanqingfei mzaphiris lakecenter apvilla supercoder-ape 86dh lai3d

spring-security-samples's Issues

Add steps to generate credentials

How can I generate the files in credentials, the idp and rp ones? I want to try spring saml feature with another idp

Migrate sample projects from Spring Security repository

As part of the effort to migrate the sample projects to a separate repository, we should migrate the remaining projects that are still referenced by our documentation.

Update to Tomcat 9

Spring now requires Servlet 4 after the changes in spring-projects/spring-framework#26428

Sample [authorization-server] is not working with sample [oauth2-client]

Hi, I clone the repo and startup oauth2-authorization-server and oauth2-client with the default configuration. And tried to test Spring oidc in browser. After input the username and password, This failed error came up. Is there any configuration that i miss ? Please help

Update samples to use Spring Security 6.0

Add Multi-factor Authentication Sample

How to do multi-factor authentication with Spring Security is a common question. While Spring Security doesn't have any APIs that support this feature, it would be nice to have a sample to show how it can be done.

OAuth Sample Do not Test Actual Configuration

Summary

As it stands the tests that are in Spring Security's OAuth Samples do not test the actual configuration. They are instead copying and modifying the samples to allow testing.

This might seem innocent enough, but we don't want our users to follow this pattern. We need to demonstrate how the existing configuration can be used with perhaps mocking a small piece of the application or running a MockWebServer instance

Tag Samples for Spring Security 5.5.0

To preserve a set of samples that work with Spring Security 5.5.0, we should create a 5.5.x branch, update the samples to point to Spring Security 5.5.0, and add a 5.5.0 tag.

Update Login samples to use Spring Authorization Server

Update JWT Login Sample to Use JwtEncoder

Dead links in Readme

The two links to the spring documentation in the readme are dead (lead to 404)

This is misleading and lowers trust in maturity or support of that version

https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/saml2/login/README.adoc

Links that are not working:

SAML 2.0 Logout feature: https://docs.spring.io/spring-security/site/docs/5.6.0-SNAPSHOT/reference/html5/#servlet-saml2login-logout
reference documentation https://docs.spring.io/spring-security/site/docs/5.6.0-SNAPSHOT/reference/html5/#servlet-saml2login-logout

Test failed on a Resource server when using Spring WebMvc RouterFunction

I created a Resource server example project using Spring WebMvc RouterFunction and Auth0 IDP.

https://github.com/hantsy/spring-webmvc-auth0-sample

When adding tests, I followed the Spring Security Samples.

I tried to use @MockMvc to test the functionality but failed. The @MockMvc can not recognize RouterFunction bean and the new Spring Security Servlet SecurityFilterChain.

Then I created a MockMvc from WebApplicationContext, check https://github.com/hantsy/spring-webmvc-auth0-sample/blob/master/src/test/java/com/example/demo/ApplicationTests.java, but failed due to an exception.

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is java.lang.NullPointerException: Cannot invoke "org.springframework.test.web.servlet.DefaultMvcResult.setHandler(Object)" because "mvcResult" is null

    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1014)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)

Also posted on stackoverflow, https://stackoverflow.com/questions/67171628/resource-server-test-failes-with-auth0-issuer-uri

How to WebSocketSecurityConfig with Spring Security 6.0

Hi, I'm trying to use Spring Security 6.0 authorization websocket.
My java config just like this. It's a copy from the document.

@Configuration
public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {

    @Override
    protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
        messages
                .nullDestMatcher().authenticated() 
                .simpSubscribeDestMatchers("/user/queue/errors").permitAll() 
                .simpDestMatchers("/app/**").hasRole("USER") 
                .simpSubscribeDestMatchers("/user/**", "/topic/friends/*").hasRole("USER") 
                .simpTypeMatchers(SimpMessageType.MESSAGE, SimpMessageType.SUBSCRIBE).denyAll() 
                .anyMessage().denyAll(); 

    }
}

But I got a error

java.lang.IllegalStateException: Failed to introspect Class [org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer] from ClassLoader [jdk.internal.loader.ClassLoaders$AppClassLoader@42110406]

Could you tell me the right way? or write a sample about websocket security :D

MFA sample should declare its spring-security-crypto dependency

spring-projects/spring-security#9767 makes apparent that the MFA sample should declare its spring-security-crypto dependency directly.

Update to Gradle 7.2

Since the Spring Security build is dependent on samples, we should update the samples' Gradle version as well.

Organize Samples

Organize samples so that its possible to generate a directory of samples in the docs automatically. See Issue spring-projects/spring-security#8190

Enable SAML2 tests when service provider is available

We've had to temporarily disable our SAML2 samples because https://simplesaml-for-spring-saml.apps.pcfone.io is not externally available.
When it becomes available again we should enable the SAML2 samples.

Update SAML 2.0 Login sample to use SAML 2.0 Logout

The saml2-login sample should use SAML 2.0 logout.

To keep the sample simple, we should do the following:

The SimpleSAMLphp sample app should be configured to use the POST binding for logout requests and responses
The SimpleSAMLphp sample app also needs to be configured to trust localhost:8080 as a ReturnTo= endpoint
The sample's README should be updated to include explanations about how logout works
The sample's integration tests should confirm that logout works with the SimpleSAMLphp deployment
The sample should use only Boot properties if possible

CI is green despite sample failures

Consider the recent CI run: https://github.com/spring-projects/spring-security-samples/runs/4504477599

The SAML2 Login sample failed during this run, but the CI remained green.

Error:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through method 'setFilterChains' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'app' defined in class path resource [example/SecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'app' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'relyingPartyRegistrationRepository' defined in class path resource [example/SecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository]: Factory method 'relyingPartyRegistrationRepository' threw exception; nested exception is org.springframework.security.saml2.Saml2Exception: java.net.ConnectException: Connection timed out (Connection timed out)

Multi-factor authentication Sample Bug: Refreshing the page when in second-factor page redirects to login page

How to reproduce:

start the mfa spring boot application

./gradlew -b ./servlet/spring-boot/java/authentication/username-password/mfa/build.gradle bootRun

giving credentials in first page ([email protected], password) redirects to second page but when in second page:

If I refresh, I get AnonymousAuthenticationToken inside SecurityConfig#mfaAuthorizationManager
if I submit totp code I still get AnonymousAuthenticationToken inside SecurityConfig#mfaAuthorizationManager

Both of the above event leads me back to login page.

Update Resource Server Samples to use Spring Authorization Server

SAML 2.0 Login & Single Logout XML Sample

See:

spring-projects/spring-security#9012

ACL sample missing, still relevant?

Hello,

Is ACL still relevant nowadays ?

I'm asking this question because there is a reference to "Contacts" and "Document Management System" samples in the doc regarding ACL, but I can't find those samples.

ACL is quite complex and it's hard to use this system without a proper up-to-date sample, so is it still a good system to use if we want to restrict access to a specific object ? (Something like ownership)

Should I use something else ?

Thanks for your time.

Cannot run gradlew in \servlet\spring-boot\java\oauth2\authorization-server folder

Root cause: missing gradle wrapper folder

please merge https://github.com//pull/50 to fix

Update to Gradle 6.9

Use JDK 11 in CI

Allow milestone dependencies

Update Kotlin Samples

Update Boot, Security, and Kotlin dependencies

Add ACL Document Management System XML sample

Example showing how to authenticate with multiple Asserting Parties

Continuing from:
spring-projects/spring-security#10551
spring-attic/spring-security-saml#521 (comment)

One Relying Party (Service Provider) should be able to authenticate with a choice of Asserting Parties (Identity Providers).
That's the basic SAML Federation system.

If this is currently possible, please add an example showing how (discovery can be a choice of two buttons - one for each IdP).
If this is not currently possible, please re-open the feature request(s) for it.
If it is not possible to add this feature, please resume support for spring-security-saml, which does allow this.

Update LDAP samples to use LdapBindAuthenticationManagerFactory

Update samples to use authorizeHttpRequests

spring-projects/spring-security#8900 introduced authorizeHttpRequests and the samples should use it wherever possible.

Update to Spring Authorization Server 0.2.0

Update to Spring Boot 2.5.0

Add SAML 2.0 Metadata Refresh Sample

The EOL spring-security-saml extension had a metadata refresh feature where asserting party metadata could be periodically refreshed on a schedule.

Now that Spring Security core has SAML 2.0 support, it would be nice to have a sample that uses a custom implementation of RelyingPartyRegistrationRepository to achieve this periodic refresh.

Implement the sample showing the implementations of the recommendations in https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07#section-6.2

Expected Behavior

The RFC https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 recommends use of:

JavaScript Applications with a Backend

The Application Server (Backend) SHOULD be considered a confidential client,
and issued its own client secret. The Application Server SHOULD use
the OAuth 2.0 Authorization Code grant with PKCE to initiate a
request for an access token.
Security of the connection between code running in the browser and
this Application Server is assumed to utilize browser-level
protection mechanisms. Details are out of scope of this document,
but many recommendations can be found in the OWASP Cheat Sheet series
(https://cheatsheetseries.owasp.org/), such as setting an HTTP-only
and Secure cookie to authenticate the session between the browser and
Application Server.
In this scenario, the session between the browser and Application
Server SHOULD be a session cookie provided by the Application Server.

Current Behavior

I have not seen any samples and/or documentation explaining how to implement the recommendation especially when using JWT tokens. It will be good if the documentation discusses if the above recommendation is applicable when using JWT token with OAuth2.

Context

Add sample setup for OAuth 2.0 resouce server supporting JWT and Opaque tokens

In Spring docs there is an example of a multi-tenant (one Opaque and one JWT) OAuth 2.0 Resource Server using an AuthenticationManagerResolver : https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2reourceserver-opaqueandjwt

The multi-tenancy sample presented in this repo uses custom properties and manual resolution, is that possible to add a sample using jwt and opaque tokens with standard properties ?

I tried to setup a sample app from docs but the resolver seems wrong (jwt() and opaqueToken() beans are not accessible ?)

I added details in a Stack Overflow ticket : https://stackoverflow.com/questions/68744965/spring-security-5-setup-authenticationmanagerresolver-for-jwt-and-opaquetokens

A similar thing was done here : spring-projects/spring-security#8713

Remove usage of `WebSecurityConfigurerAdapter`

Switch to expose a SecurityFilterChain bean

Use OpenSAML 4 in saml2-login sample

Create sample with OAuth 2.0 Client used in SPA

We should create a sample with an OAuth 2.0 Client used in a SPA (single-page application).

why i can not find JwtEncoder in spring-boot-starter-oauth2-resource-server:2.5.3?

Create sample with OAuth 2.0 Client used in native app

We should create a sample with an OAuth 2.0 Client used in a native app.

Reference: OAuth 2.0 for Native Apps

Add ACL Contacts XML sample

Consider simpler ACL sample

Related to #32 and #34

The ACL samples have lots of domain details that make them challenging to comprehend. It might be nice if these samples were replaced with ones that demonstrate common use cases.

It would also be nice if the acl samples were in their own directory.

Add PreAuth Xml sample project

Related #22

Add saml2-login java-configuration sample

Add Hello Spring Security Xml Config sample project

Related #22

Add index page of samples

Such as:

Add a table of contents to the readme
Add a wiki page
Create a simple documentation microsite (e.g. Antora) with organized list
Create a simple GitHub Pages site with organized list

ClassNotFoundException: PasswordEncoder

Looking at https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy I currently see the following two issues.

Running Application Fails with ClassNotFoundException for org.springframework.security.crypto.password.PasswordEncoder

At the moment, running

./gradlew bootRun

fails (for me) with


> Task :bootRun FAILED

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.5.0)

2021-06-01 18:26:41.133  INFO 26749 --- [           main] example.OAuth2ResourceServerApplication  : Starting OAuth2ResourceServerApplication using Java 11.0.2 on <removed> with PID 26749 (<removed>/spring-security-samples/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy/build/classes/java/main started by <removed> in <removed>/spring-security-samples/servlet/spring-boot/java/oauth2/resource-server/multi-tenancy)
2021-06-01 18:26:41.135  INFO 26749 --- [           main] example.OAuth2ResourceServerApplication  : No active profile set, falling back to default profiles: default
2021-06-01 18:26:41.222  WARN 26749 --- [kground-preinit] o.s.h.c.j.Jackson2ObjectMapperBuilder    : For Jackson Kotlin classes support please add "com.fasterxml.jackson.module:jackson-module-kotlin" to the classpath
2021-06-01 18:26:41.890 ERROR 26749 --- [           main] o.s.boot.SpringApplication               : Application run failed

java.lang.IllegalStateException: Error processing condition on org.springframework.boot.autoconfigure.sql.init.SqlInitializationAutoConfiguration
        at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:60) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        at org.springframework.context.annotation.ConditionEvaluator.shouldSkip(ConditionEvaluator.java:108) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader$TrackedConditionEvaluator.shouldSkip(ConfigurationClassBeanDefinitionReader.java:489) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader$TrackedConditionEvaluator.shouldSkip(ConfigurationClassBeanDefinitionReader.java:478) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:140) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:129) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:343) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:247) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:311) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:112) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:746) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:564) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:438) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:337) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1336) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1325) ~[spring-boot-2.5.0.jar:2.5.0]
        at example.OAuth2ResourceServerApplication.main(OAuth2ResourceServerApplication.java:30) ~[main/:na]
Caused by: java.lang.IllegalStateException: Failed to introspect Class [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] from ClassLoader [jdk.internal.loader.ClassLoaders$AppClassLoader@4b85612c]
        at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:481) ~[spring-core-5.3.7.jar:5.3.7]
        at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:358) ~[spring-core-5.3.7.jar:5.3.7]
        at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:414) ~[spring-core-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.lambda$getTypeForFactoryMethod$2(AbstractAutowireCapableBeanFactory.java:747) ~[spring-beans-5.3.7.jar:5.3.7]
        at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1705) ~[na:na]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:746) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:685) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:656) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1670) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:570) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:542) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.collectBeanNamesForType(OnBeanCondition.java:238) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getBeanNamesForType(OnBeanCondition.java:231) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getBeanNamesForType(OnBeanCondition.java:221) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchingBeans(OnBeanCondition.java:169) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        at org.springframework.boot.autoconfigure.condition.OnBeanCondition.getMatchOutcome(OnBeanCondition.java:144) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        at org.springframework.boot.autoconfigure.condition.SpringBootCondition.matches(SpringBootCondition.java:47) ~[spring-boot-autoconfigure-2.5.0.jar:2.5.0]
        ... 18 common frames omitted
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/crypto/password/PasswordEncoder
        at java.base/java.lang.Class.getDeclaredMethods0(Native Method) ~[na:na]
        at java.base/java.lang.Class.privateGetDeclaredMethods(Class.java:3167) ~[na:na]
        at java.base/java.lang.Class.getDeclaredMethods(Class.java:2310) ~[na:na]
        at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:463) ~[spring-core-5.3.7.jar:5.3.7]
        ... 34 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.security.crypto.password.PasswordEncoder
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:583) ~[na:na]
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) ~[na:na]
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[na:na]
        ... 38 common frames omitted

2021-06-01 18:26:41.906  WARN 26749 --- [           main] o.s.boot.SpringApplication               : Unable to close ApplicationContext

java.lang.IllegalStateException: Failed to introspect Class [org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration] from ClassLoader [jdk.internal.loader.ClassLoaders$AppClassLoader@4b85612c]
        at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:481) ~[spring-core-5.3.7.jar:5.3.7]
        at org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:358) ~[spring-core-5.3.7.jar:5.3.7]
        at org.springframework.util.ReflectionUtils.getUniqueDeclaredMethods(ReflectionUtils.java:414) ~[spring-core-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.lambda$getTypeForFactoryMethod$2(AbstractAutowireCapableBeanFactory.java:747) ~[spring-beans-5.3.7.jar:5.3.7]
        at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1705) ~[na:na]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryMethod(AbstractAutowireCapableBeanFactory.java:746) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:685) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:656) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1670) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:570) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:542) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:667) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:659) ~[spring-beans-5.3.7.jar:5.3.7]
        at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:1300) ~[spring-context-5.3.7.jar:5.3.7]
        at org.springframework.boot.SpringApplication.getExitCodeFromMappedException(SpringApplication.java:890) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.getExitCodeFromException(SpringApplication.java:878) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.handleExitCode(SpringApplication.java:865) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.handleRunFailure(SpringApplication.java:806) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:347) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1336) ~[spring-boot-2.5.0.jar:2.5.0]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1325) ~[spring-boot-2.5.0.jar:2.5.0]
        at example.OAuth2ResourceServerApplication.main(OAuth2ResourceServerApplication.java:30) ~[main/:na]
Caused by: java.lang.NoClassDefFoundError: org/springframework/security/crypto/password/PasswordEncoder
        at java.base/java.lang.Class.getDeclaredMethods0(Native Method) ~[na:na]
        at java.base/java.lang.Class.privateGetDeclaredMethods(Class.java:3167) ~[na:na]
        at java.base/java.lang.Class.getDeclaredMethods(Class.java:2310) ~[na:na]
        at org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.java:463) ~[spring-core-5.3.7.jar:5.3.7]
        ... 21 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.security.crypto.password.PasswordEncoder
        at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:583) ~[na:na]
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) ~[na:na]
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[na:na]
        ... 25 common frames omitted


FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':bootRun'.
> Process 'command '/Library/Java/JavaVirtualMachines/openjdk-11.0.2.jdk/Contents/Home/bin/java'' finished with non-zero exit value 1

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 2s
4 actionable tasks: 1 executed, 3 up-to-date

It seems this behavior can be easily fixed adding

implementation 'org.springframework.security:spring-security-crypto'

to the dependencies block in build.gradle.

In case it seems this problem affects also other people, I would suggest adjusting the example to include this additional dependency.

Update: I also just noticed, that I have the same problem with https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/hello-security

InMemoryUserDetailsManager is Auto-Configured

Once the problem above is fixed, the application starts. However, in the log output I see

2021-06-01 18:34:39.832  INFO 26857 --- [           main] .s.s.UserDetailsServiceAutoConfiguration : 

Using generated security password: f89a4c05-3b75-4c2c-89a0-60dceba7e4ec

In my opinion, this is somewhat unexpected, as I would expect the same behavior as in the "simple", non-multi-tenant case (e.g., https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/hello-security ), where the auto-configuration is not activated (I think due to the presence of a JwtDecoder bean, but I have not fully investigated this).

I would therefore suggest to explicitly disable this auto-configuration in the multi-tenant example. Unfortunately, I'm not quite sure what the best way is to achieve this. The easiest is probably just excluding the configuration via

@SpringBootApplication(exclude = UserDetailsServiceAutoConfiguration.class)

in OAuth2ResourceServerApplication. However, I haven't checked whether this leads to any undesirable side-effects.