search

spring-attic / spring-cloud-security

Security concerns for distributed applications implemented in Spring
Apache License 2.0
532 stars 244 forks source link

ResourceServer and GlobalMethodSecurity error #114

Closed paulux84 closed 5 years ago

paulux84 commented 7 years ago

i have the following spring boot microservice 

@SpringBootApplication
@EnableMongoAuditing
@EnableMongoRepositories
@EnableEurekaClient
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WaveServiceApplication {

public static void main(String[] args) {
    SpringApplication.run(WaveServiceApplication.class, args);
}

@Configuration
@EnableResourceServer
class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.requestMatchers()
                .antMatchers("/**")
                .and()
                .authorizeRequests()
                .anyRequest().hasRole("ADMIN");
   }
}
}

This protect my rest server with oauth2 protocol (only admin can access to resource). Now i would add GlobalMethodSecurity support but adding @GlobalMethodSecurity to OAuth2ResourceConfig class raise the following error:

Caused by: java.lang.IllegalStateException: Cannot apply org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer@745bbadd to already built object
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.add(AbstractConfiguredSecurityBuilder.java:196) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.apply(AbstractConfiguredSecurityBuilder.java:133) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.builders.HttpSecurity.getOrApply(HttpSecurity.java:1372) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests(HttpSecurity.java:651) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer.configure(ResourceServerSecurityConfigurer.java:199) ~[spring-security-oauth2-2.0.12.RELEASE.jar:na]
    at org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer.configure(ResourceServerSecurityConfigurer.java:55) ~[spring-security-oauth2-2.0.12.RELEASE.jar:na]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:384) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:330) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:290) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.builders.WebSecurity.performBuild(WebSecurity.java:77) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:334) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:104) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$b0dc931c.CGLIB$springSecurityFilterChain$5(<generated>) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$b0dc931c$$FastClassBySpringCGLIB$$2e3875a4.invoke(<generated>) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) ~[spring-core-4.3.6.RELEASE.jar:4.3.6.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:356) ~[spring-context-4.3.6.RELEASE.jar:4.3.6.RELEASE]
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$b0dc931c.springSecurityFilterChain(<generated>) ~[spring-security-config-4.1.4.RELEASE.jar:4.1.4.RELEASE]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_121]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_121]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_121]
    at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_121]
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162) ~[spring-beans-4.3.6.RELEASE.jar:4.3.6.RELEASE]
    ... 26 common frames omitted

It'seems a bug or missconfiguration problem? Thanks

dsyer commented 7 years ago

Not sure what you mean there (@GlobalMethodSecurity isn't an annotation from Spring).

spencergibb commented 5 years ago

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.