Description
The backend service fails to start in a Dockerized environment, throwing an UnsatisfiedDependencyException during the creation of the JWTAuthenticationFilter bean. This prevents the application from reaching a "Started" state and results in the shoppmate-api container exiting with code 1.
Root Causes
- Missing Security Assets: The project requires
public_key.pem and private_key.pem for JWE/JWT operations, but these were not provided or generated during the build process.
- Pathing Conflicts: The
RsaKeyConfig.java utilizes the file: prefix to load keys from the filesystem. This caused a failure when keys were stored in the classpath (src/main/resources) rather than the expected filesystem root.
- Docker Permission Deadlock: The
Dockerfile implementation attempted to access copied files before the application user (spring) was assigned ownership. Since Docker Desktop (WSL2) mounts host files as root by default, the restricted spring user encountered an AccessDeniedException.
System
- Windows 11
- Java 17.0.18.8
Proposed Resolution
The following architectural changes were implemented:
- Project Structure: Created a dedicated
certs/ directory in the backend/ root to house the RSA keys, ensuring alignment with the file:certs/ pathing logic in the Java configuration.
- Dockerfile Refactoring:
- Reordered the build sequence to ensure the
spring user is created early in the runtime stage.
- Implemented a "Root-level Setup" phase to
mkdir, COPY, and chown the certificate directory before switching to the unprivileged user.
- Ensured the
app.jar is also owned by the application user to prevent runtime file-access issues.
- Docker Compose: Standardized service dependencies to ensure the database is
healthy before the API attempts to connect.
Validation Results
Will follow up with a PR.
Technical Breakdown (Logs)
Previous Error Trace:
Caused by: java.nio.file.AccessDeniedException: certs/private_key.pem
at com.omatheusmesmo.shoppmate.auth.configs.RsaKeyConfig.privateKey(RsaKeyConfig.java:28)
at com.omatheusmesmo.shoppmate.auth.configs.RsaKeyConfig.publicKey(RsaKeyConfig.java:40)
...
Factory method 'publicKey' threw exception; nested exception is java.lang.IllegalStateException: JWT public-key file not found
Description
The backend service fails to start in a Dockerized environment, throwing an
UnsatisfiedDependencyExceptionduring the creation of theJWTAuthenticationFilterbean. This prevents the application from reaching a "Started" state and results in theshoppmate-apicontainer exiting with code 1.Root Causes
public_key.pemandprivate_key.pemfor JWE/JWT operations, but these were not provided or generated during the build process.RsaKeyConfig.javautilizes thefile:prefix to load keys from the filesystem. This caused a failure when keys were stored in the classpath (src/main/resources) rather than the expected filesystem root.Dockerfileimplementation attempted to access copied files before the application user (spring) was assigned ownership. Since Docker Desktop (WSL2) mounts host files asrootby default, the restrictedspringuser encountered anAccessDeniedException.System
Proposed Resolution
The following architectural changes were implemented:
certs/directory in thebackend/root to house the RSA keys, ensuring alignment with thefile:certs/pathing logic in the Java configuration.springuser is created early in the runtime stage.mkdir,COPY, andchownthe certificate directory before switching to the unprivileged user.app.jaris also owned by the application user to prevent runtime file-access issues.healthybefore the API attempts to connect.Validation Results
Started ShoppMateApplicationusing thespring(non-root) user.GET /listsreturns a200 OKstatus in Bruno/Swagger UI when a valid Bearer token is provided.Will follow up with a PR.
Technical Breakdown (Logs)
Previous Error Trace: