Spring-security-oauth: Resource Server ignore Bearer token when deployed in the same app with Authorization Server

Created on 16 Feb 2017  路  6Comments  路  Source: spring-projects/spring-security-oauth

I am creating a Spring Boot app containing both Authorization Server and Resource Server with the following configuration

@EnableWebSecurity(debug = true)
public class KonfigurasiSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .withUser("endy").password("123").authorities("ADMIN").and()
                .withUser("anggi").password("123").authorities("CUSTOMER");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests().antMatchers("/**").authenticated()
                .and().formLogin().permitAll()
                .and().logout().permitAll();
    }

    @Configuration
    @EnableAuthorizationServer
    protected static class KonfigurasiAuthServer extends AuthorizationServerConfigurerAdapter {

        @Autowired
        @Qualifier("authenticationManagerBean")
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints)
                throws Exception {
            endpoints.authenticationManager(authenticationManager);
        }

        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
            oauthServer.checkTokenAccess("hasAuthority('CLIENT')");
        }

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            clients
                    .inMemory()
                    .withClient("clientapp")
                    .secret("123456")
                    .authorities("CLIENT")
                    .authorizedGrantTypes("authorization_code", "refresh_token", "password")
                    .scopes("read", "write")
                    .autoApprove(true)
                    .resourceIds("belajarsso");
        }
    }

    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends
            ResourceServerConfigurerAdapter {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) {
            resources
                    .resourceId("belajarsso");
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .requestMatchers()
                    .antMatchers("/api/**")
                    .and().authorizeRequests()
                    .antMatchers("/api/**")
                    .authenticated();
        }

    }
}

I also have a Controller

@RestController
public class UserController {

    @RequestMapping({"/api/user", "/api/me"})
    public Authentication user(Authentication auth) {
        return auth;
    }
}

After access token is obtained (through usual login process and exchanging authcode), the controller can be accessed if the token is supplied in request parameter as such
http://localhost:20000/api/user?access_token=blablabla-yadda-yadda-yadda

However, if access token is used in authorization header as such

curl -H 'Authorization: Bearer blablabla-yadda-yadda-yadda' http://localhost:10000/api/user

It will return 301 redirect to login page.

My suspicion is the @EnableResourceServer somehow either fail to register or misconfigure OAuth2AuthenticationProcessingFilter to conflict with BasicAuthenticationFilter.

Am I correct? How can I debug the exact sequence of installed filter? The debug log (I suppose) only display filters hit by request, not all installed/active filters.

Pls advise, thx

waiting-for-triage

Most helpful comment

Hi guys,

I found the problem and it is working now for me. I think it is kind of what i said before so you need to add this annotation on top of your WebSecurityConfigurerAdapter:

@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { ...

Regards
Jose

All 6 comments

Could you fix it? I have also encountered the same problem.

Any updates on this?
I am facing the same problem.

I am facing the same problem too.
I'm using Spring Boot 1.5.2.RELEASE.

Same problem here. Spring Boot 1.5.6.RELEASE.

Same problem here. 1.5.8.RELEASE. Cannot find anyway to put them together using JWT and RSA keys. I think one override the configuration of the other

Hi guys,

I found the problem and it is working now for me. I think it is kind of what i said before so you need to add this annotation on top of your WebSecurityConfigurerAdapter:

@Configuration @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { ...

Regards
Jose

Was this page helpful?
0 / 5 - 0 ratings