Comments (14)
The suggested workaround has the side effect of overriding any HttpSecurity
configuration done in other WebSecurityConfigurerAdapter
s in the application. For example, when I apply the workaround it allows unprotected access to all resources in my app.
from spring-security-oauth-javaconfig.
@trygvis - I ended up implementing my own filter to extract and validate the bearer token instead of using the Spring Security OAuth library.
from spring-security-oauth-javaconfig.
Any update on this issue? I am still experiencing it so it appears to not have been resolved.
Similar story to above. My http-configuration is overridden by @EnableResourceServer annotation. I have tried with @order as well.
from spring-security-oauth-javaconfig.
@sirianni Sorry I wasn't clear. You can configure the authorization however you want. The key is to ensure that authorization is configured.
from spring-security-oauth-javaconfig.
Thanks @rwinch - yes, I think I understood that part. The problem is that I have an HttpSecurity
configured already in a different WebSecurityConfigurerAdapter
@Configuration
in my app.
Given that, I expected that I would not need the workaround. However, without that workaround in my ResourceServerConfigurerAdapter
class, I hit the above IllegalStateException
.
My application has several WebSecurityConfigurerAdapter
instances which (up until now) have worked cooperatively just fine. I guess I could try to merge all those into a single ResourceServerConfigurerAdapter
config, but I'd rather not take that approach.
Any ideas?
from spring-security-oauth-javaconfig.
I've also tried adjusting the @Order
of the ResourceServerConfigurer
relative to the others WebSecurityConfigurer
s. No matter what I do:
- I need to include the
http.authorizeRequests()
as a workaround - The
http
configuration specified inResourceServerConfigurer
overwrite anything configured in my otherWebSecurityConfigurer
s.
from spring-security-oauth-javaconfig.
It looks like the ResourceServerConfiguration
is building an entirely separate springSecurityFilterChain
, overwriting the one I already have configured for my app.
Here is my normal chain:
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
TokenAuthenticationProcessingFilter
UsernamePasswordAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
MdcFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter
]
By simply adding @EnableResourceServer
my other filters (e.g. UsernamePasswordAuthenticationFilter
, etc.) are removed, yielding:
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
OAuth2AuthenticationProcessingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
from spring-security-oauth-javaconfig.
Is this related to spring-projects/spring-boot#4332 ?
from spring-security-oauth-javaconfig.
My intention is to have the same REST API endpoints (/api/**
) guarded by:
- Traditional username/password/session-based authentication and authorization (via UserDetails with GrantedAuthorities, etc.)
- OAuth-based authorization (with bearer token).
The traditional authorization has been working well. I am now trying to layer in the OAuth piece. Is there a recommended configuration for such a scenario?
from spring-security-oauth-javaconfig.
Perhaps for such a setup I should forgo the ResourceServerConfiguration
class and manually insert the OAuth2AuthenticationFilter
into the Security Filter chain.
from spring-security-oauth-javaconfig.
@sirianni Can you show how you configured your app without using ResourceServerConfiguration
?
from spring-security-oauth-javaconfig.
@sirianni can you explain how you filter and extract and validate the bearer token...
Some code maybe...
btw this issues still exist today...
Thx..
from spring-security-oauth-javaconfig.
Still exists
from spring-security-oauth-javaconfig.
I solved it in the following manner:
- Configure HttpSecurity code in the following manner in ResourceServerConfig class:
http .addFilter(filterSecurityInterceptor()) .authorizeRequests().antMatchers("/**").permitAll();
- Define a filterSecurityInterceptor Bean along with AccessDecisionManager within the same class:
@Bean public FilterSecurityInterceptor filterSecurityInterceptor() { FilterSecurityInterceptor filter = new FilterSecurityInterceptor(); filter.setAuthenticationManager(authenticationManager); filter.setAccessDecisionManager(accessDecisionManager()); filter.setSecurityMetadataSource(filterInvocationServiceSecurityMetadataSource); return filter; } public AccessDecisionManager accessDecisionManager(){ return new UnanimousBased(Arrays.asList(new WebExpressionVoter(), new ScopeVoter(), new RoleVoter(), new AuthenticatedVoter())); }
- Create a custom implementation of FilterInvocationSecurityMetadataSource, referred to as filterInvocationServiceSecurityMetadataSource. This implementation reads the permissions from runtime, creates an instance of FilterInvocationSecurityMetadataSource using class such as ExpressionBasedFilterInvocationSecurityMetadataSource. This is used to update the dynamic URL permissions later.
Got the inspiration for creating a custom implementation of SecurityMetadataSource from SpringSecurity book by Mick Knutson
from spring-security-oauth-javaconfig.
Related Issues (2)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security-oauth-javaconfig.