Using WebSecurityConfigurerAdapter with Spring OAuth2 and user-info-uri
I have created an Authorization service as follows
@SpringBootApplication
@EnableAuthorizationServer
public class AuthorizationApplication {
...
}
With this application.properties.
server.port=9000
security.oauth2.client.client-id=monederobingo
security.oauth2.client.client-secret=monederobingosecret
security.oauth2.client.authorized-grant-types=authorization_code,refresh_token,password,client_credentials
security.oauth2.client.scope=company,client
Then, in a separate spring boot project I have created a Resource Server.
@SpringBootApplication
@EnableResourceServer
public class App {
...
}
With this application.properties.
server.port=9090
spring.application.name=app
security.oauth2.resource.user-info-uri=http://localhost:9000/user
Now, everything works fine if I send a request like this localhost:9090/api with the appropriate token that was retrieved by Authorization Service.
However, I don't want to send this token when sending requests to localhost:9090/login.
For this I have created this class in my Resource server spring boot app.
@Configuration
public class SpringConfig extends WebSecurityConfigurerAdapter {
@Override protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.antMatchers("/api/**")
.authenticated();
}
}
And now I don't need to send any token to send a request to /login.
However, I'm now geting the following message when sending request to /api with a valid token.
{
"timestamp": 1496027102659,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/api/v1/points_configuration/314"
}
How can configure security for only a few URL patterns in Spring Security OAuth2?
Answer
Kindly follow this for more info regarding Spring OAuth security:Secure Spring REST Api with OAuth
In order to implement OAuth Security in Spring boot, you have to create Authorization & Resource server by extending them from AuthorizationServerConfigurerAdapter and ResourceServerConfigurerAdapter respectively.
Authorization Server
@Configuration
@EnableAuthorizationServer
public class AuthorizationApplication extends AuthorizationServerConfigurerAdapter{
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
throws Exception {
endpoints
.userDetailsService(userDetailsService)
.authenticationManager(this.authenticationManager).tokenStore(tokenStore()).approvalStoreDisabled();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(mongoClientDetailsService);
/*inMemory()
.withClient(propertyResolver.getProperty(PROP_CLIENTID))
.scopes("read", "write")
.authorities("ROLE_CLIENT")
.authorizedGrantTypes("password", "refresh_token","client_credentials")
.secret(propertyResolver.getProperty(PROP_SECRET))
.accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 18000));*/
}
//Do others stuff
}
Resource Server
All the Url that you want to protect using OAuth should be mentioned in this server configuration. It enables a Spring Security filter that authenticates requests using an incoming OAuth2 token. While mostly WebSecurityConfigurerAdapter extended class is used for basic security configuration like adding filters, allowing un-secure url or implementing session policies etc.
@Configuration
@EnableResourceServer
public class App extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers().antMatchers("/api/**").and().authorizeRequests()
.antMatchers("/api/**").authenticated();
}
//Do others stuff
}