Spring Security OAuth2ResourceServer using authenticationManagerResolver results in tokenAuthenticationManager cannot be null while startup

Describe the bug When using oauth2ResourceServer with authenticationManagerResolver while having anonymous login disabled the application fails to startup with the following cause: This behavior only happens since spring boot 3.5.0 and spring-security 6.5.0. With spring-security 6.4.6 the application would startup without a problem.

Caused by: java.lang.IllegalArgumentException: tokenAuthenticationManager cannot be null
    at org.springframework.util.Assert.notNull(Assert.java:181) ~[spring-core-6.2.7.jar:6.2.7]
    at org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider.<init>(DPoPAuthenticationProvider.java:73) ~[spring-security-oauth2-resource-server-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.DPoPAuthenticationConfigurer.configure(DPoPAuthenticationConfigurer.java:79) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:288) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:147) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:398) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:352) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.5.0.jar:6.5.0]
    at Application.defaultSecurityFilterChain(Application.java:45) ~[main/:na]

To Reproduce Consider the following minimal application to reproduce the problem

@SpringBootApplication
@EnableWebSecurity
public class Application {

  public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
  }

  @Bean
  public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    return http.authorizeHttpRequests(auth -> auth.requestMatchers("/private").authenticated())
        .oauth2ResourceServer(
            oauth ->
                oauth.authenticationManagerResolver(
                    JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(
                        "http://localhost:4003/realms/app")))
        .anonymous(AbstractHttpConfigurer::disable)
        .build();
  }
}

Expected behavior A startup without a problem.

Sample

The (exact same) sample (with a build.gradle) can be found at

https://github.com/aykborstelmann/spring-security-test-case

Comment From: Bisuko-chan

Got the exact same issue today after the upgrade to Spring Boot 3.5.0, we rolled back the changes for now.

Comment From: mnhock

Same here with a custom authenticationManagerResolver after upgrade to Spring Boot 3.5.0 and the intro of DPoP support in Spring Security.

  .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer
                            .authenticationManagerResolver(authenticationManagerResolver()))

Comment From: jgrandja

Thanks for reporting this @aykborstelmann. I just pushed the fix.

Comment From: datnh99

Hi @jgrandja , I have an issue when I upgrade spring-security-config dependency from 6.4.6 to 6.5.0. Here is the error message: java.lang.ClassNotFoundException: org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider

I'm facing this issue when using a custom authenticationManagerResolver:

  .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer
                            .authenticationManagerResolver(authenticationManagerResolver()))

My tempo handing: This issue can be resolved by adding 2 dependencies:

            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-oauth2-resource-server</artifactId>
                <version>6.5.0</version>
            </dependency>
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-oauth2-jose</artifactId>
                <version>6.5.0</version>
            </dependency>

Could this issue be resolved in the next version (6.5.1) without adding 2 new dependencies? Thank you in advance!