Closed kopax closed 7 years ago
Is related with https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.5-Release-Notes#oauth-2-resource-filter ?
Yes it is on the same topic. I can't tell you if my issue is due to these changes ?
Do you wan't me to redo the test on spring-boot 1.4.1.RELEASE ?
@kazuki43zoo according to your link and the setup I want. What @Order value should I use for WebSecurityConfigurerAdapter
and ResourceServerConfigurerAdapter
?
Could you try as follow ?
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/oauth/**") // ### Specify path pattern that need OAuth authentication(Bearer auth) and authorization
.authorizeRequests()
.antMatchers(
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");
}
...
}
@kazuki43zoo I would like to know if there is a difference between this
http.antMatcher("/oauth/**") // ### Specify path pattern that need OAuth authentication(Bearer auth) and authorization
.authorizeRequests()
.antMatchers(
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");
and this
http
.authorizeRequests()
.antMatchers(
"/oauth/**", // ### Specify path pattern that need OAuth authentication(Bearer auth) and authorization
"/**"
).access("#oauth2.hasScope('write') " +
"and #oauth2.clientHasRole('ROLE_CLIENT') " +
"and hasRole('USER')");
Could you try as follow ?
With what @Order
exactly?
I did try with @Order(2)
, no @Order
annotation on ResourceServerConfig
.
Same thing as before, having @Order(2)
on WebMvcSecurity
result in an ignored OAuth2 security filter chain.
In my understand ...
Default orders are as follow on Spring Boot:
WebSecurityConfigurerAdapter
-> 100
2147483639
(= SecurityProperties.ACCESS_OVERRIDE_ORDER
- 1
)In other words, a security filter chain that configure by a extends class of WebSecurityConfigurerAdapter
will apply by default. (resource server filter chain will be not used)
If you want to apply a resource server filter chain for /oauth/***
, you need to specify order as follow:
ACCESS_OVERRIDE_ORDER
(= 2147483640
)2147483639
)or
100
)99
or under (e.g: security.oauth2.resource.filter-order=99
)And specify a matcher pattern on (2) as follow:
http.antMatcher("/oauth/**")
.authorizeRequests()
....
As result...
You can use a resource server filter chain for request that matches /oauth/**
and you can use a security filter chain that configure by a extends class of WebSecurityConfigurerAdapter
for other request (e.g: /login
, /ping
and more ... ).
If you need more information, i think you should be provide a reproduce project that can be run on GitHub. And i think your question should be posted to the StackOverflow.
Thanks.
Thanks for the quick reply.
It seems from the javadoc that http.antMatcher("/oauth/**") is the same as http.requestMatchers().antMatchers("/oauth/**)
Allows configuring the {@link HttpSecurity} to only be invoked when matching the provided ant pattern. If more advanced configuration is necessary, consider using {@link #requestMatchers()} or {@link #requestMatcher(RequestMatcher)}.
I have tried both of the configuration. They seems to be able to protect the endpoint /oauth/**
, but all the endpoints /**
should be OAuth secure.
I have created a demo repository.
There's a README with a sum up of the security strategy.
Clone the project
git clone https://github.com/kopax/spring-security-oauth-issues-1024 && cd spring-security-oauth-issues-1024
start the server
./gradlew build --info && java -jar build/libs/api-oauth2.jar --spring.profiles.active=default
get a cookie
export COOKIE=$(curl -v --silent http://localhost:8081/ 2>&1 | grep cookie -i | awk -F ' ' '{print $3}')
authenticate the cookie
export COOKIE=$(curl --cookie "$COOKIE" -d username=admin -d password=verysecret -v --silent http://localhost:8081/login 2>&1 | grep cookie -i | awk -F ' ' '{print $3}')
try to get a secured oauth resource at /
curl --cookie "$COOKIE" -v http://localhost:8081/
http status code 401
due to missing header Authorization
http status code 200
Spring server:
Security account (cookie):
admin
verysecret
OAuth account (jwt):
myfirstapp
test
http://localhost:8081/
http://localhost:8081/oauth/token
http://localhost:8081/oauth/authorize
code
http://localhost:8081/cb/myfirstapp
Hi, It is still possible to access without a Bearer. See my reply on PR
Every configuration I have tried just can't work together on the same endpoint. As soon a route is added to (1), it get canceled in (2).
Are you absolutely sure that spring-security and spring-security-oauth can work on the same endpoint ?
It's also possible that the API must have separate endpoints. (I haven't found any project that use both plugin on top of each for a defined endpoint.)
I am having the same problem. I want ldap authentication for some resources and oauth on others and can only get one or the other to work. Not both. Have you made any progress or do you have a work around?
It is one or the other. You can't have both.
I have the same problem
Could you try following code. It works fine for me.
https://spring.io/guides/topicals/spring-security-architecture/ "The most important feature of this dispatch process is that only one chain ever handles a request."
@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
super.configure(resources);
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
// For org.springframework.security.web.SecurityFilterChain.matches(HttpServletRequest)
.requestMatchers(
new NegatedRequestMatcher(
new OrRequestMatcher(
new AntPathRequestMatcher("/login"),
new AntPathRequestMatcher("/logout"),
new AntPathRequestMatcher("/oauth/authorize"),
new AntPathRequestMatcher("/oauth/confirm_access")
)
)
)
.and()
.authorizeRequests().anyRequest().authenticated();
}
}
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
// For org.springframework.security.web.SecurityFilterChain.matches(HttpServletRequest)
.requestMatchers(
new OrRequestMatcher(
new AntPathRequestMatcher("/login"),
new AntPathRequestMatcher("/logout"),
new AntPathRequestMatcher("/oauth/authorize"),
new AntPathRequestMatcher("/oauth/confirm_access")
)
)
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().permitAll()
.and()
.logout().permitAll();
}
}
@namioka Shouldn't ResourceServerConfiguration only match negatively on /login and /logout? And WebSecurityConfiguration negatively on /oauth/**?
@lilalinux '/oauth/authorize' and '/oauth/confirm_access' require the user authentication (Not resource server authentication by access tokens).
@kopax Did you resolve this issue? I am having same trouble when selecting HttpBasic and OAuth on the basis of Endpoint.
Me too. With Spring Boot 1.5.8.RELEASE, Spring Security 4.2.3.RELEASE. OAuth filter chain was ignored.
@kevinojt I have figured out a solution for this. Look at my answer https://stackoverflow.com/questions/50796327/can-we-use-httpbasic-and-oauth2-both-for-an-api-depending-on-path-variable/50877797#50877797
Thanks @kevinojt ! It worked perfect for me.
@cpandya231 yes, it works.
Here is my solution same as yours.
/**
* Config Spring security policy.
*
* About @Order
* With SpringBoot must set @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
* on WebSecurityConfiguration or Spring Security will
* put UsernamePasswordAuthenticationFilter before OAuth2AuthenticationProcessingFilter.
* It means OAuth2 authentication of resource server will not work.
*
*/
@Configuration
@EnableWebSecurity(debug = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
@Bean
public UserDetailsService userDetailsServiceBean() throws Exception {
return super.userDetailsServiceBean();
}
// Other code been omitted
}
@kevinojt Please respond on stackoverflow, need to improve reputation points.
How to define order of spring security filter chain
I am using the following dependency :
I have configured two springSecurityFilterChain using:
My endpoint should be secured like this :
(1) look like this:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(2) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.NEVER) .and() .csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.GET, HttpPathStore.PING).permitAll() .antMatchers("/login").permitAll() .antMatchers("/logout").hasRole("USER") .antMatchers("/**").hasRole("USER") .anyRequest().authenticated() .and() .exceptionHandling() .accessDeniedHandler(accessDeniedHandler) .authenticationEntryPoint(authenticationEntryPoint) .and() .formLogin() .loginProcessingUrl(HttpPathStore.LOGIN) .successHandler(authenticationSuccessHandler) .failureHandler(authenticationFailureHandler) .permitAll() .and() .logout() .logoutUrl(HttpPathStore.LOGOUT) .logoutSuccessUrl(HttpPathStore.LOGIN_FROM_LOGOUT) .logoutSuccessHandler(logoutSuccessHandler) .permitAll(); } ... } __(_2_)__ look like this: @Configuration @EnableResourceServer @Order(3) public class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers(HttpMethod.GET, HttpPathStore.PING).permitAll() .antMatchers("/login").permitAll() .antMatchers("/logout").permitAll() .antMatchers( "/**" ).access("#oauth2.hasScope('write') " + "and #oauth2.clientHasRole('ROLE_CLIENT') " + "and hasRole('USER')"); } ... } Problem ------- If I set `@Order` on: - __(_1_)__ : `@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)` - __(_2_)__ : [DEFAULT] __Expected:__ as a user with a session and without a jwt, I expect to see the the response `401` from __(_2_)__ __Result:__ as a user with a session and without a jwt, I have the response `401` from __(_1_)__. If I set `@Order` on: - __(_1_)__ : `@Order(2)` - __(_2_)__ : `@Order(3)` __Expected:__ Order the web securityFilterChain before OAuth securityFilterhChain __Result:__ OAuth securityFilterChain configuration seems to be ignored by spring. Is there a way to get my configuration to have OAuth security after Basic security ?