OAuth2 OAuth2AuthenticationProcessingFilter is not present when calling secured endpoints

[osgafarov]

Hi,

I am developing a Spring Boot OAuth2 + mobile client with authorization_code flow. I have a custom login page, so when the mobile client calls oauth/authorize, the server redirects the user to Login page, the user signs in, then the server issues an authorization code and with this authorization code, the app requests the token.

However, when calling a secure API and passing the Bearer token, the server fails with an exeption:

Authentication exception occurred; redirecting to authentication entry point

What is interesting is when the Spring boot app is started I can see the OAuth2AuthenticationProcessingFilter filter in the logs:

|2017-08-05 22:37:54.102  INFO 18809 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Creating filter
 chain:
 org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@7efa3f63,
 [
 org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7134b8a7,
 org.springframework.security.web.context.SecurityContextPersistenceFilter@3ff54f3d,
 org.springframework.security.web.header.HeaderWriterFilter@7b61bf11,
 org.springframework.security.web.authentication.logout.LogoutFilter@18b74ea,
 org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter@1665fa54,
 org.springframework.security.web.savedrequest.RequestCacheAwareFilter@14c93774,
 org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@62a68bcb,
 org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2262d6d5,
 org.springframework.security.web.session.SessionManagementFilter@40247d48,
 org.springframework.security.web.access.ExceptionTranslationFilter@315105f,
 org.springframework.security.web.access.intercept.FilterSecurityInterceptor@70025b99]

However, when calling curl -H "Authorization: bearer eaee916e-fdf1-4e80-808e-cfd9b2944539" localhost:8080/users

I see the following logs:

.808 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-08-05 23:14:24.808 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-08-05 23:14:24.809 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@7091e577
2017-08-05 23:14:24.809 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 4 of 11 in additional filter chain; firing Filter: 'CsrfFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 5 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /users' doesn't match 'POST /logout
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 6 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /users' doesn't match 'POST /login
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 8 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.session.SessionManagementFilter  : Requested session ID 82C8AE1B7613B93D9F52F5A09CA5D114 is invalid.
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 10 of 11 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2017-08-05 23:14:24.810 DEBUG 19570 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /users at position 11 of 11 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2017-08-05 23:14:24.811 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /users' doesn't match 'POST /logout
2017-08-05 23:14:24.811 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/users'; against '/resources/**'
2017-08-05 23:14:24.811 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /users; Attributes: [authenticated]
2017-08-05 23:14:24.814 DEBUG 19570 --- [nio-8080-exec-3] o.s.b.a.audit.listener.AuditListener     : AuditEvent [timestamp=Sat Aug 05 23:14:24 CEST 2017, principal=<unknown>, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.AuthenticationCredentialsNotFoundException, message=An Authentication object was not found in the SecurityContext}]
2017-08-05 23:14:24.817 DEBUG 19570 --- [nio-8080-exec-3] o.s.s.w.a.ExceptionTranslationFilter     : Authentication exception occurred; redirecting to authentication entry point

And as you can see in the second log, it did not go through OAuth2AuthenticationProcessingFilter.

Here is my configuration: https://gist.github.com/osgafarov/ef432de739f0e8dd2eb595c0c75aff1d

Here is the flow:

Do you know what might be wrong in my configuration? I've spent already quite some time to figure out, but cannot find what is wrong.

Thanks, Osman

[adolfoweloy]

Why are you annotating the class OAuth2Configuration with @EnableResourceServer and @EnableAuthorizationServer at the same time?

Just another tip, you don't need to inject AuthenticationManagerBuilder for password grant type. Injecting AuthenticationManager should be enough.

[junneyang]

any solution?

[osgafarov]

I ended up with this configuration and it worked for me:

@Configuration
public class SecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .formLogin().loginPage("/login").permitAll()
                .and()
                .requestMatchers().antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access")
                .and()
                .authorizeRequests().anyRequest().authenticated();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
                .antMatchers(HttpMethod.PUT, "/users/")
                .antMatchers("/users/facebook/**")
                .antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources/**", "/configuration/security", "/swagger-ui.html", "/webjars/**");
    }
}