tried to create a spring boot configuration with dual security checks on requests (Oauth2 token bearer and X509 certificates). I had 2 alternative ideas in mind, but cannot make it work either
dedicated endpoints for each type of securyt validation (/certif for certification validation, /token for token validation)
all endpoints checked with either token or certificate validation anything sucessfull would apply
This is my configuration that tries to achieve idea no 1:
@EnableResourceServer
@Configuration
@Order(1)
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Value("${xxx.auth.resourceId}")
private String resourceId;
@Autowired
private DefaultTokenServices tokenServices;
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId(resourceId)
.tokenServices(tokenServices)
.tokenExtractor(new BearerTokenExtractor());
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/unsecured/**")
.antMatchers("/token/**")
.and().authorizeRequests()
.antMatchers("/unsecured/**").permitAll()
.anyRequest().authenticated()
;
}
}
@EnableResourceServer
@Configuration
@Order(2)
public class X509ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.requestMatchers()
.antMatchers("/certif/**")
.and()
.authorizeRequests()
.antMatchers("/certif/**").hasAuthority("AUTH")
.and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService() {
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) {
if (username.startsWith("xxx") || username.startsWith("XXX")) {
return new User(username, "",
AuthorityUtils
.commaSeparatedStringToAuthorityList("AUTH"));
}
throw new UsernameNotFoundException("User not found!");
}
};
}
}
For some reason I cannot make it work because filter OAuth2AuthenticationProcessingFilterseems to be deleting the authorization token created by filter X509AuthenticationFilterwhen I make a call with a certificate to /certif/info. I must mention that ResourceServerConfigurationis working ok when used alone and the /token/info endpoint is called with a token.
Mentioned filters are in spring-security-oauth:2.3.8 & spring-security-web:5.6.2
Orders have been changed in every direction but they seem to have no effect on how the filters are applied.
Any idea what is going on and how can I avoid this problem in order to achieve the desired behaviour?
tried to create a spring boot configuration with dual security checks on requests (Oauth2 token bearer and X509 certificates). I had 2 alternative ideas in mind, but cannot make it work either
This is my configuration that tries to achieve idea no 1:
For some reason I cannot make it work because filter
OAuth2AuthenticationProcessingFilter
seems to be deleting the authorization token created by filterX509AuthenticationFilter
when I make a call with a certificate to /certif/info. I must mention thatResourceServerConfiguration
is working ok when used alone and the /token/info endpoint is called with a token.Mentioned filters are in
spring-security-oauth:2.3.8
&spring-security-web:5.6.2
Orders have been changed in every direction but they seem to have no effect on how the filters are applied. Any idea what is going on and how can I avoid this problem in order to achieve the desired behaviour?