OAuth2ServerConfigurer should check to see if authorizedRequests has been applied about spring-security-oauth-javaconfig HOT 14 OPEN

The suggested workaround has the side effect of overriding any HttpSecurity configuration done in other WebSecurityConfigurerAdapters in the application. For example, when I apply the workaround it allows unprotected access to all resources in my app.

from spring-security-oauth-javaconfig.

@trygvis - I ended up implementing my own filter to extract and validate the bearer token instead of using the Spring Security OAuth library.

from spring-security-oauth-javaconfig.

Any update on this issue? I am still experiencing it so it appears to not have been resolved.

Similar story to above. My http-configuration is overridden by @EnableResourceServer annotation. I have tried with @order as well.

from spring-security-oauth-javaconfig.

@sirianni Sorry I wasn't clear. You can configure the authorization however you want. The key is to ensure that authorization is configured.

from spring-security-oauth-javaconfig.

Thanks @rwinch - yes, I think I understood that part. The problem is that I have an HttpSecurity configured already in a different WebSecurityConfigurerAdapter @Configuration in my app.

Given that, I expected that I would not need the workaround. However, without that workaround in my ResourceServerConfigurerAdapter class, I hit the above IllegalStateException.

My application has several WebSecurityConfigurerAdapter instances which (up until now) have worked cooperatively just fine. I guess I could try to merge all those into a single ResourceServerConfigurerAdapter config, but I'd rather not take that approach.

Any ideas?

from spring-security-oauth-javaconfig.

I've also tried adjusting the @Order of the ResourceServerConfigurer relative to the others WebSecurityConfigurers. No matter what I do:

1. I need to include the http.authorizeRequests() as a workaround
2. The http configuration specified in ResourceServerConfigurer overwrite anything configured in my other WebSecurityConfigurers.

from spring-security-oauth-javaconfig.

It looks like the ResourceServerConfiguration is building an entirely separate springSecurityFilterChain, overwriting the one I already have configured for my app.

Here is my normal chain:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  TokenAuthenticationProcessingFilter
  UsernamePasswordAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  MdcFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
  SwitchUserFilter
]

By simply adding @EnableResourceServer my other filters (e.g. UsernamePasswordAuthenticationFilter, etc.) are removed, yielding:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  OAuth2AuthenticationProcessingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

from spring-security-oauth-javaconfig.

Is this related to spring-projects/spring-boot#4332 ?

from spring-security-oauth-javaconfig.

My intention is to have the same REST API endpoints (/api/**) guarded by:

1. Traditional username/password/session-based authentication and authorization (via UserDetails with GrantedAuthorities, etc.)
2. OAuth-based authorization (with bearer token).

The traditional authorization has been working well. I am now trying to layer in the OAuth piece. Is there a recommended configuration for such a scenario?

from spring-security-oauth-javaconfig.

Perhaps for such a setup I should forgo the ResourceServerConfiguration class and manually insert the OAuth2AuthenticationFilter into the Security Filter chain.

from spring-security-oauth-javaconfig.

@sirianni Can you show how you configured your app without using ResourceServerConfiguration?

from spring-security-oauth-javaconfig.

@sirianni can you explain how you filter and extract and validate the bearer token...
Some code maybe...

btw this issues still exist today...

Thx..

from spring-security-oauth-javaconfig.

Still exists

from spring-security-oauth-javaconfig.

I solved it in the following manner:

• Configure HttpSecurity code in the following manner in ResourceServerConfig class:
  http .addFilter(filterSecurityInterceptor()) .authorizeRequests().antMatchers("/**").permitAll();
• Define a filterSecurityInterceptor Bean along with AccessDecisionManager within the same class:
  @Bean public FilterSecurityInterceptor filterSecurityInterceptor() { FilterSecurityInterceptor filter = new FilterSecurityInterceptor(); filter.setAuthenticationManager(authenticationManager); filter.setAccessDecisionManager(accessDecisionManager()); filter.setSecurityMetadataSource(filterInvocationServiceSecurityMetadataSource); return filter; } public AccessDecisionManager accessDecisionManager(){ return new UnanimousBased(Arrays.asList(new WebExpressionVoter(), new ScopeVoter(), new RoleVoter(), new AuthenticatedVoter())); }
• Create a custom implementation of FilterInvocationSecurityMetadataSource, referred to as filterInvocationServiceSecurityMetadataSource. This implementation reads the permissions from runtime, creates an instance of FilterInvocationSecurityMetadataSource using class such as ExpressionBasedFilterInvocationSecurityMetadataSource. This is used to update the dynamic URL permissions later.

Got the inspiration for creating a custom implementation of SecurityMetadataSource from SpringSecurity book by Mick Knutson

from spring-security-oauth-javaconfig.