kazuki43zoo
commented
7 years ago Closed kopax closed 7 years ago
kazuki43zoo
commented
7 years ago 
kopax
commented
7 years ago Is related with https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#oauth-2-resource-filter ?
Yes it is on the same topic. I can't tell you if my issue is due to these changes ?
Do you wan't me to redo the test on spring-boot 1.4.1.RELEASE ?
kopax
commented
7 years ago @kazuki43zoo according to your link and the setup I want. What @Order value should I use for WebSecurityConfigurerAdapter and ResourceServerConfigurerAdapter ?
kazuki43zoo
commented
7 years ago Could you try as follow ?
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/oauth/**") // ### Specify path pattern that need OAuth authentication(Bearer auth) and authorization
.authorizeRequests()
.antMatchers(
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");
}
...
}@kazuki43zoo I would like to know if there is a difference between this
http.antMatcher("/oauth/**") // ### Specify path pattern that need OAuth authentication(Bearer auth) and authorization
.authorizeRequests()
.antMatchers(
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");and this
http
.authorizeRequests()
.antMatchers(
"/oauth/**", // ### Specify path pattern that need OAuth authentication(Bearer auth) and authorization
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");Could you try as follow ?
With what @Order exactly?
I did try with @Order(2), no @Order annotation on ResourceServerConfig.
Same thing as before, having @Order(2) on WebMvcSecurity result in an ignored OAuth2 security filter chain.
kazuki43zoo
commented
7 years ago In my understand ...
Default orders are as follow on Spring Boot:
WebSecurityConfigurerAdapter -> 1002147483639 (= SecurityProperties.ACCESS_OVERRIDE_ORDER - 1)In other words, a security filter chain that configure by a extends class of WebSecurityConfigurerAdapter will apply by default. (resource server filter chain will be not used)
If you want to apply a resource server filter chain for /oauth/***, you need to specify order as follow:
ACCESS_OVERRIDE_ORDER (= 2147483640)2147483639)or
100)99 or under (e.g: security.oauth2.resource.filter-order=99)And specify a matcher pattern on (2) as follow:
http.antMatcher("/oauth/**")
.authorizeRequests()
....As result...
You can use a resource server filter chain for request that matches /oauth/** and you can use a security filter chain that configure by a extends class of WebSecurityConfigurerAdapter for other request (e.g: /login, /ping and more ... ).
If you need more information, i think you should be provide a reproduce project that can be run on GitHub. And i think your question should be posted to the StackOverflow.
Thanks.
kopax
commented
7 years ago Thanks for the quick reply.
It seems from the javadoc that http.antMatcher("/oauth/**") is the same as http.requestMatchers().antMatchers("/oauth/**)
Allows configuring the {@link HttpSecurity} to only be invoked when matching the provided ant pattern. If more advanced configuration is necessary, consider using {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
I have tried both of the configuration. They seems to be able to protect the endpoint /oauth/**, but all the endpoints /** should be OAuth secure.
I have created a demo repository.
There's a README with a sum up of the security strategy.
Clone the project
git clone https://github.com/kopax/spring-security-oauth-issues-1024 && cd spring-security-oauth-issues-1024start the server
./gradlew build --info && java -jar build/libs/api-oauth2.jar --spring.profiles.active=defaultget a cookie
export COOKIE=$(curl -v --silent http://localhost:8081/ 2>&1 | grep cookie -i | awk -F ' ' '{print $3}')authenticate the cookie
export COOKIE=$(curl --cookie "$COOKIE" -d username=admin -d password=verysecret -v --silent http://localhost:8081/login 2>&1 | grep cookie -i | awk -F ' ' '{print $3}')try to get a secured oauth resource at /
curl --cookie "$COOKIE" -v http://localhost:8081/http status code 401 due to missing header Authorization
http status code 200
Spring server:
Security account (cookie):
adminverysecretOAuth account (jwt):
myfirstapptesthttp://localhost:8081/http://localhost:8081/oauth/tokenhttp://localhost:8081/oauth/authorizecodehttp://localhost:8081/cb/myfirstappkopax
commented
7 years ago Hi, It is still possible to access without a Bearer. See my reply on PR
Every configuration I have tried just can't work together on the same endpoint. As soon a route is added to (1), it get canceled in (2).
Are you absolutely sure that spring-security and spring-security-oauth can work on the same endpoint ?
It's also possible that the API must have separate endpoints. (I haven't found any project that use both plugin on top of each for a defined endpoint.)
stevemenke
commented
7 years ago I am having the same problem. I want ldap authentication for some resources and oauth on others and can only get one or the other to work. Not both. Have you made any progress or do you have a work around?
kopax
commented
7 years ago It is one or the other. You can't have both.
Brandon0204
commented
7 years ago I have the same problem
masamitsunamioka
commented
6 years ago Could you try following code. It works fine for me.
https://spring.io/guides/topicals/spring-security-architecture/ "The most important feature of this dispatch process is that only one chain ever handles a request."
@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
super.configure(resources);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
// For org.springframework.security.web.SecurityFilterChain.matches(HttpServletRequest)
.requestMatchers(
new NegatedRequestMatcher(
new OrRequestMatcher(
new AntPathRequestMatcher("/login"),
new AntPathRequestMatcher("/logout"),
new AntPathRequestMatcher("/oauth/authorize"),
new AntPathRequestMatcher("/oauth/confirm_access")
)
)
)
.and()
.authorizeRequests().anyRequest().authenticated();
}
}@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
// For org.springframework.security.web.SecurityFilterChain.matches(HttpServletRequest)
.requestMatchers(
new OrRequestMatcher(
new AntPathRequestMatcher("/login"),
new AntPathRequestMatcher("/logout"),
new AntPathRequestMatcher("/oauth/authorize"),
new AntPathRequestMatcher("/oauth/confirm_access")
)
)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll();
}
}
lilalinux
commented
6 years ago @namioka Shouldn't ResourceServerConfiguration only match negatively on /login and /logout? And WebSecurityConfiguration negatively on /oauth/**?
masamitsunamioka
commented
6 years ago @lilalinux '/oauth/authorize' and '/oauth/confirm_access' require the user authentication (Not resource server authentication by access tokens).
cpandya231
commented
6 years ago @kopax Did you resolve this issue? I am having same trouble when selecting HttpBasic and OAuth on the basis of Endpoint.
kevinojt
commented
6 years ago Me too. With Spring Boot 1.5.8.RELEASE, Spring Security 4.2.3.RELEASE. OAuth filter chain was ignored.
cpandya231
commented
6 years ago @kevinojt I have figured out a solution for this. Look at my answer https://stackoverflow.com/questions/50796327/can-we-use-httpbasic-and-oauth2-both-for-an-api-depending-on-path-variable/50877797#50877797
rogeriobenetti
commented
6 years ago Thanks @kevinojt ! It worked perfect for me.
kevinojt
commented
6 years ago @cpandya231 yes, it works.
Here is my solution same as yours.
/**
* Config Spring security policy.
*
* About @Order
* With SpringBoot must set @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
* on WebSecurityConfiguration or Spring Security will
* put UsernamePasswordAuthenticationFilter before OAuth2AuthenticationProcessingFilter.
* It means OAuth2 authentication of resource server will not work.
*
*/
@Configuration
@EnableWebSecurity(debug = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
@Bean
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
// Other code been omitted
}@kevinojt Please respond on stackoverflow, need to improve reputation points.
How to define order of spring security filter chain
I am using the following dependency :
I have configured two springSecurityFilterChain using:
My endpoint should be secured like this :
(1) look like this:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(2) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.NEVER) .and() .csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.GET, HttpPathStore.PING).permitAll() .antMatchers("/login").permitAll() .antMatchers("/logout").hasRole("USER") .antMatchers("/**").hasRole("USER") .anyRequest().authenticated() .and() .exceptionHandling() .accessDeniedHandler(accessDeniedHandler) .authenticationEntryPoint(authenticationEntryPoint) .and() .formLogin() .loginProcessingUrl(HttpPathStore.LOGIN) .successHandler(authenticationSuccessHandler) .failureHandler(authenticationFailureHandler) .permitAll() .and() .logout() .logoutUrl(HttpPathStore.LOGOUT) .logoutSuccessUrl(HttpPathStore.LOGIN_FROM_LOGOUT) .logoutSuccessHandler(logoutSuccessHandler) .permitAll(); } ... } __(_2_)__ look like this: @Configuration @EnableResourceServer @Order(3) public class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.GET, HttpPathStore.PING).permitAll() .antMatchers("/login").permitAll() .antMatchers("/logout").permitAll() .antMatchers( "/**" ).access("#oauth2.hasScope('write') " + "and #oauth2.clientHasRole('ROLE_CLIENT') " + "and hasRole('USER')"); } ... } Problem ------- If I set `@Order` on: - __(_1_)__ : `@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` - __(_2_)__ : [DEFAULT] __Expected:__ as a user with a session and without a jwt, I expect to see the the response `401` from __(_2_)__ __Result:__ as a user with a session and without a jwt, I have the response `401` from __(_1_)__. If I set `@Order` on: - __(_1_)__ : `@Order(2)` - __(_2_)__ : `@Order(3)` __Expected:__ Order the web securityFilterChain before OAuth securityFilterhChain __Result:__ OAuth securityFilterChain configuration seems to be ignored by spring. Is there a way to get my configuration to have OAuth security after Basic security ?