given the following Maven build...
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>4.0.3</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>auth</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>auth</name>
<description>Demo project for Spring Boot</description>
<url/>
<licenses>
<license/>
</licenses>
<developers>
<developer/>
</developers>
<scm>
<connection/>
<developerConnection/>
<tag/>
<url/>
</scm>
<properties>
<java.version>25</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security-oauth2-authorization-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webmvc</artifactId>
</dependency>
<dependency>
<groupId>org.springaicommunity</groupId>
<artifactId>mcp-authorization-server</artifactId>
<version>0.1.1</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security-oauth2-authorization-server-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webmvc-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-webauthn</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.graalvm.buildtools</groupId>
<artifactId>native-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
and the following Java code
package com.example.auth;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.http.MediaType;
import org.springframework.security.authorization.AuthorizationManagerFactories;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.authorization.EnableMultiFactorAuthentication;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.authority.FactorGrantedAuthority;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import javax.sql.DataSource;
@EnableMultiFactorAuthentication(authorities = {})
@SpringBootApplication
public class AuthApplication {
public static void main(String[] args) {
SpringApplication.run(AuthApplication.class, args);
}
@Bean
JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) {
var j = new JdbcUserDetailsManager(dataSource);
j.setEnableUpdatePassword(true);
return j;
}
@Bean
Customizer<HttpSecurity> httpSecurityCustomizer() {
var adm = AuthorizationManagerFactories
.multiFactor()
.requireFactors(FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY)
.build();
return http -> http
.authorizeHttpRequests(x -> x.requestMatchers("/**")
.access(adm.authenticated()))
.oauth2AuthorizationServer(c -> c.oidc(Customizer.withDefaults()))
.webAuthn(w -> w
.rpId("localhost")
.rpName("bootiful")
.allowedOrigins("http://localhost:9090")
)
.oneTimeTokenLogin(a -> a.tokenGenerationSuccessHandler(
(_, response, oneTimeToken) -> {
response.getWriter().println("you've got console mail!");
response.setContentType(MediaType.TEXT_PLAIN_VALUE);
IO.println("please go to http://localhost:8080/login/ott?token=" +
oneTimeToken.getTokenValue());
}
));
}
}
and the following properties (encoded in .yaml - sorry):
spring:
security:
oauth2:
authorizationserver:
client:
oidc-client:
registration:
client-id: "spring"
client-secret: "{noop}spring"
client-authentication-methods:
- "client_secret_basic"
authorization-grant-types:
- "authorization_code"
- "refresh_token"
redirect-uris:
- "http://127.0.0.1:8081/login/oauth2/code/spring"
scopes:
- "openid"
- "profile"
datasource:
password: secret
username: myuser
url: jdbc:postgresql://localhost/mydatabase
application:
name: auth
server:
port: 9090
i get the following error on startup:
2026-02-25T14:12:29.651-08:00 INFO 85498 --- [auth] [ main] o.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/11.0.18]
2026-02-25T14:12:29.667-08:00 INFO 85498 --- [auth] [ main] b.w.c.s.WebApplicationContextInitializer : Root WebApplicationContext: initialization completed in 362 ms
2026-02-25T14:12:29.705-08:00 INFO 85498 --- [auth] [ main] o.s.s.p.JdbcUserDetailsManager : No authentication manager set. Reauthentication of users when changing passwords will not be performed.
2026-02-25T14:12:29.826-08:00 INFO 85498 --- [auth] [ main] r$InitializeUserDetailsManagerConfigurer : Global AuthenticationManager configured with UserDetailsService bean with name jdbcUserDetailsManager
2026-02-25T14:12:30.623-08:00 WARN 85498 --- [auth] [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizationServerSecurityFilterChain' defined in class path resource [org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'authorizationServerSecurityFilterChain' threw exception with message: com/fasterxml/jackson/databind/exc/InvalidDefinitionException
2026-02-25T14:12:30.625-08:00 INFO 85498 --- [auth] [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2026-02-25T14:12:30.628-08:00 INFO 85498 --- [auth] [ main] .s.b.a.l.ConditionEvaluationReportLogger :
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2026-02-25T14:12:30.632-08:00 ERROR 85498 --- [auth] [ main] o.s.boot.SpringApplication : Application run failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authorizationServerSecurityFilterChain' defined in class path resource [org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'authorizationServerSecurityFilterChain' threw exception with message: com/fasterxml/jackson/databind/exc/InvalidDefinitionException
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1362) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1194) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:565) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:525) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:333) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:371) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:331) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:196) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1218) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1184) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1121) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:994) ~[spring-context-7.0.5.jar:7.0.5]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:621) ~[spring-context-7.0.5.jar:7.0.5]
at org.springframework.boot.web.server.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:143) ~[spring-boot-web-server-4.0.3.jar:4.0.3]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:756) ~[spring-boot-4.0.3.jar:4.0.3]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:445) ~[spring-boot-4.0.3.jar:4.0.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:321) ~[spring-boot-4.0.3.jar:4.0.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1365) ~[spring-boot-4.0.3.jar:4.0.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1354) ~[spring-boot-4.0.3.jar:4.0.3]
at com.example.auth.AuthApplication.main(AuthApplication.java:21) ~[classes/:na]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'authorizationServerSecurityFilterChain' threw exception with message: com/fasterxml/jackson/databind/exc/InvalidDefinitionException
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:183) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:72) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:152) ~[spring-beans-7.0.5.jar:7.0.5]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-7.0.5.jar:7.0.5]
... 21 common frames omitted
Caused by: java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/exc/InvalidDefinitionException
at org.springframework.security.web.authentication.HttpMessageConverterAuthenticationSuccessHandler.<init>(HttpMessageConverterAuthenticationSuccessHandler.java:52) ~[spring-security-web-7.0.3.jar:7.0.3]
at org.springframework.security.web.webauthn.authentication.WebAuthnAuthenticationFilter.<init>(WebAuthnAuthenticationFilter.java:95) ~[spring-security-webauthn-7.0.3.jar:7.0.3]
at org.springframework.security.config.annotation.web.configurers.WebAuthnConfigurer.configure(WebAuthnConfigurer.java:177) ~[spring-security-config-7.0.3.jar:7.0.3]
at org.springframework.security.config.annotation.web.configurers.WebAuthnConfigurer.configure(WebAuthnConfigurer.java:61) ~[spring-security-config-7.0.3.jar:7.0.3]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:386) ~[spring-security-config-7.0.3.jar:7.0.3]
at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:336) ~[spring-security-config-7.0.3.jar:7.0.3]
at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-7.0.3.jar:7.0.3]
at org.springframework.boot.security.oauth2.server.authorization.autoconfigure.servlet.OAuth2AuthorizationServerWebSecurityConfiguration.authorizationServerSecurityFilterChain(OAuth2AuthorizationServerWebSecurityConfiguration.java:61) ~[spring-boot-security-oauth2-authorization-server-4.0.3.jar:4.0.3]
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[na:na]
at java.base/java.lang.reflect.Method.invoke(Method.java:565) ~[na:na]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:155) ~[spring-beans-7.0.5.jar:7.0.5]
... 24 common frames omitted
Caused by: java.lang.ClassNotFoundException: com.fasterxml.jackson.databind.exc.InvalidDefinitionException
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:580) ~[na:na]
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:490) ~[na:na]
... 35 common frames omitted
Disconnected from the target VM, addre
if i add
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-jackson2</artifactId>
</dependency>
it works.
ideally, the spring boot starter for spring auth server would bring in jackson 2 if it were meant to work, or we'd avoid using jackson 2. or something.
given the following Maven build...
and the following Java code
package com.example.auth; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.context.annotation.Bean; import org.springframework.http.MediaType; import org.springframework.security.authorization.AuthorizationManagerFactories; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.authorization.EnableMultiFactorAuthentication; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.core.authority.FactorGrantedAuthority; import org.springframework.security.provisioning.JdbcUserDetailsManager; import javax.sql.DataSource; @EnableMultiFactorAuthentication(authorities = {}) @SpringBootApplication public class AuthApplication { public static void main(String[] args) { SpringApplication.run(AuthApplication.class, args); } @Bean JdbcUserDetailsManager jdbcUserDetailsManager(DataSource dataSource) { var j = new JdbcUserDetailsManager(dataSource); j.setEnableUpdatePassword(true); return j; } @Bean Customizer<HttpSecurity> httpSecurityCustomizer() { var adm = AuthorizationManagerFactories .multiFactor() .requireFactors(FactorGrantedAuthority.PASSWORD_AUTHORITY, FactorGrantedAuthority.OTT_AUTHORITY) .build(); return http -> http .authorizeHttpRequests(x -> x.requestMatchers("/**") .access(adm.authenticated())) .oauth2AuthorizationServer(c -> c.oidc(Customizer.withDefaults())) .webAuthn(w -> w .rpId("localhost") .rpName("bootiful") .allowedOrigins("http://localhost:9090") ) .oneTimeTokenLogin(a -> a.tokenGenerationSuccessHandler( (_, response, oneTimeToken) -> { response.getWriter().println("you've got console mail!"); response.setContentType(MediaType.TEXT_PLAIN_VALUE); IO.println("please go to http://localhost:8080/login/ott?token=" + oneTimeToken.getTokenValue()); } )); } }and the following properties (encoded in
.yaml- sorry):i get the following error on startup:
if i add
it works.
ideally, the spring boot starter for spring auth server would bring in jackson 2 if it were meant to work, or we'd avoid using jackson 2. or something.