Spring security with Oauth2 or Http-Basic authentication for the same resource

java security spring-security spring-security-oauth2
user3613594 picture user3613594 · May 7, 2014 · Viewed 28.7k times · Source

I'm attempting to implement an API with resources that are protected by either Oauth2 OR Http-Basic authentication.

When I load the WebSecurityConfigurerAdapter which applies http-basic authentication to the resource first, Oauth2 token authentication is not accepted. And vice-versa.

Example configurations: This applies http-basic authentication to all /user/** resources

@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    private LoginApi loginApi;

    @Autowired
    public void setLoginApi(LoginApi loginApi) {
        this.loginApi = loginApi;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(new PortalUserAuthenticationProvider(loginApi));
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/users/**").authenticated()
                .and()
            .httpBasic();
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

This applies oauth token protection to the /user/** resource

@Configuration
@EnableResourceServer
protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .requestMatchers().antMatchers("/users/**")
        .and()
            .authorizeRequests()
                .antMatchers("/users/**").access("#oauth2.clientHasRole('ROLE_CLIENT') and #oauth2.hasScope('read')");
    }
}

I'm sure there is some piece of magic code I'm missing which tells spring to attempt both if the first has failed?

Any assistance would be most appreciated.

Answer

kca2ply picture kca2ply · Mar 27, 2016

I managed to get this work based on the hints by Michael Ressler's answer but with some tweaks.

My goal was to allow both Basic Auth and Oauth on the same resource endpoints, e.g., /leafcase/123. I was trapped for quite some time due to the ordering of the filterChains (can be inspected in FilterChainProxy.filterChains); the default order is as follows:

  • Oauth authentication server (if enabled in the same project)'s filterChains. default order 0 (see AuthorizationServerSecurityConfiguration)
  • Oauth resource server's filterChains. default order 3 (see ResourceServerConfiguration). It has a request matcher logic that matches anything other than the Oauth authentication endpoints (e.g., /oauth/token, /oauth/authorize, etc. See ResourceServerConfiguration$NotOauthRequestMatcher.matches()).
  • The filterChains that corresponds to config(HttpSecurity http) - default order 100, see WebSecurityConfigurerAdapter.

Since resource server's filterChains ranks higher than the one by WebSecurityConfigurerAdapter configured filterchain, and the former matches practically every resource endpoint, then Oauth resource server logic always kick in for any request to resource endpoints (even if the request uses the Authorization:Basic header). The error you would get is:

{
    "error": "unauthorized",
    "error_description": "Full authentication is required to access this resource"
}

I made 2 changes to get this work:

Firstly, order the WebSecurityConfigurerAdapter higher than the resource server (order 2 is higher than order 3). 

@Configuration
@Order(2)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

Secondly, let configure(HttpSecurity) use a customer RequestMatcher that only matches "Authorization: Basic". 

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .anonymous().disable()
        .requestMatcher(new BasicRequestMatcher())
        .authorizeRequests()
            .anyRequest().authenticated()
            .and()
        .httpBasic()
             .authenticationEntryPoint(oAuth2AuthenticationEntryPoint())
            .and()
        // ... other stuff
 }
 ...
 private static class BasicRequestMatcher implements RequestMatcher {
    @Override
    public boolean matches(HttpServletRequest request) {
        String auth = request.getHeader("Authorization");
        return (auth != null && auth.startsWith("Basic"));
    }
 }

As a result it matches and handles a Basic Auth resource request before the resource server's filterChain has a chance to match it. It also ONLY handles Authorizaiton:Basic resource request, thus any requests with Authorization:Bearer will fall through, and then handled by resource server's filterChain (i.e., Oauth's filter kicks in). Also, it ranks lower than the AuthenticationServer (in case AuthenticationServer is enabled on the same project), so it doesn't prevent AuthenticaitonServer's filterchain from handling the request to /oauth/token, etc.

Related questions

Unit testing with Spring Security

My company has been evaluating Spring MVC to determine if we should use it in one of our next projects. So far I love what I've seen, and right now I'm taking a look at the Spring Security module to …

Read More
Spring MVC - Checking if User is already logged in via Spring Security?

I have a Spring MVC application.It uses its own custom Login page. Upon successful login, a 'LOGGED_IN_USER' object is placed in the HTTPSession. I want to allow only authenticated users to access URLs. I know i can …

Read More
What is the meaning and difference between subject, user and principal?

In the context of security frameworks, a few terms commonly occur subject, user and principal, of which I have not been able to find a clear definition and the difference between them. So, what exactly do these terms mean, and …

Read More