Open rwinch opened 10 years ago
The suggested workaround has the side effect of overriding any HttpSecurity
configuration done in other WebSecurityConfigurerAdapter
s in the application. For example, when I apply the workaround it allows unprotected access to all resources in my app.
@sirianni Sorry I wasn't clear. You can configure the authorization however you want. The key is to ensure that authorization is configured.
Thanks @rwinch - yes, I think I understood that part. The problem is that I have an HttpSecurity
configured already in a different WebSecurityConfigurerAdapter
@Configuration
in my app.
Given that, I expected that I would not need the workaround. However, without that workaround in my ResourceServerConfigurerAdapter
class, I hit the above IllegalStateException
.
My application has several WebSecurityConfigurerAdapter
instances which (up until now) have worked cooperatively just fine. I guess I could try to merge all those into a single ResourceServerConfigurerAdapter
config, but I'd rather not take that approach.
Any ideas?
I've also tried adjusting the @Order
of the ResourceServerConfigurer
relative to the others WebSecurityConfigurer
s. No matter what I do:
http.authorizeRequests()
as a workaroundhttp
configuration specified in ResourceServerConfigurer
overwrite anything configured in my other WebSecurityConfigurer
s.It looks like the ResourceServerConfiguration
is building an entirely separate springSecurityFilterChain
, overwriting the one I already have configured for my app.
Here is my normal chain:
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
TokenAuthenticationProcessingFilter
UsernamePasswordAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
MdcFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
SwitchUserFilter
]
By simply adding @EnableResourceServer
my other filters (e.g. UsernamePasswordAuthenticationFilter
, etc.) are removed, yielding:
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
OAuth2AuthenticationProcessingFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
Is this related to spring-projects/spring-boot#4332 ?
My intention is to have the same REST API endpoints (/api/**
) guarded by:
The traditional authorization has been working well. I am now trying to layer in the OAuth piece. Is there a recommended configuration for such a scenario?
Perhaps for such a setup I should forgo the ResourceServerConfiguration
class and manually insert the OAuth2AuthenticationFilter
into the Security Filter chain.
@sirianni Can you show how you configured your app without using ResourceServerConfiguration
?
@trygvis - I ended up implementing my own filter to extract and validate the bearer token instead of using the Spring Security OAuth library.
@sirianni can you explain how you filter and extract and validate the bearer token... Some code maybe...
btw this issues still exist today...
Thx..
Any update on this issue? I am still experiencing it so it appears to not have been resolved.
Similar story to above. My http-configuration is overridden by @EnableResourceServer annotation. I have tried with @Order as well.
Still exists
I solved it in the following manner:
http .addFilter(filterSecurityInterceptor()) .authorizeRequests().antMatchers("/**").permitAll();
@Bean public FilterSecurityInterceptor filterSecurityInterceptor() { FilterSecurityInterceptor filter = new FilterSecurityInterceptor(); filter.setAuthenticationManager(authenticationManager); filter.setAccessDecisionManager(accessDecisionManager()); filter.setSecurityMetadataSource(filterInvocationServiceSecurityMetadataSource); return filter; } public AccessDecisionManager accessDecisionManager(){ return new UnanimousBased(Arrays.asList(new WebExpressionVoter(), new ScopeVoter(), new RoleVoter(), new AuthenticatedVoter())); }
Got the inspiration for creating a custom implementation of SecurityMetadataSource from SpringSecurity book by Mick Knutson
Error is something like:
Workaround is