I am creating a Spring Boot app containing both Authorization Server and Resource Server with the following configuration
@EnableWebSecurity(debug = true)
public class KonfigurasiSecurity extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser("endy").password("123").authorities("ADMIN").and()
.withUser("anggi").password("123").authorities("CUSTOMER");
}
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests().antMatchers("/**").authenticated()
.and().formLogin().permitAll()
.and().logout().permitAll();
}
@Configuration
@EnableAuthorizationServer
protected static class KonfigurasiAuthServer extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("authenticationManagerBean")
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints.authenticationManager(authenticationManager);
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.checkTokenAccess("hasAuthority('CLIENT')");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
.inMemory()
.withClient("clientapp")
.secret("123456")
.authorities("CLIENT")
.authorizedGrantTypes("authorization_code", "refresh_token", "password")
.scopes("read", "write")
.autoApprove(true)
.resourceIds("belajarsso");
}
}
@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends
ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources
.resourceId("belajarsso");
}
@Override
public void configure(HttpSecurity http) throws Exception {
http
.requestMatchers()
.antMatchers("/api/**")
.and().authorizeRequests()
.antMatchers("/api/**")
.authenticated();
}
}
}
I also have a Controller
@RestController
public class UserController {
@RequestMapping({"/api/user", "/api/me"})
public Authentication user(Authentication auth) {
return auth;
}
}
After access token is obtained (through usual login process and exchanging authcode), the controller can be accessed if the token is supplied in request parameter as such
http://localhost:20000/api/user?access_token=blablabla-yadda-yadda-yadda
However, if access token is used in authorization header as such
curl -H 'Authorization: Bearer blablabla-yadda-yadda-yadda' http://localhost:10000/api/user
It will return 301 redirect to login page.
My suspicion is the @EnableResourceServer somehow either fail to register or misconfigure OAuth2AuthenticationProcessingFilter to conflict with BasicAuthenticationFilter.
Am I correct? How can I debug the exact sequence of installed filter? The debug log (I suppose) only display filters hit by request, not all installed/active filters.
Pls advise, thx
Could you fix it? I have also encountered the same problem.
Any updates on this?
I am facing the same problem.
I am facing the same problem too.
I'm using Spring Boot 1.5.2.RELEASE.
Same problem here. Spring Boot 1.5.6.RELEASE.
Same problem here. 1.5.8.RELEASE. Cannot find anyway to put them together using JWT and RSA keys. I think one override the configuration of the other
Hi guys,
I found the problem and it is working now for me. I think it is kind of what i said before so you need to add this annotation on top of your WebSecurityConfigurerAdapter:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
...
Regards
Jose
Most helpful comment
Hi guys,
I found the problem and it is working now for me. I think it is kind of what i said before so you need to add this annotation on top of your WebSecurityConfigurerAdapter:
@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { ...Regards
Jose