search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.69k stars 4.04k forks source link

Cannot apply ExpressionUrlAuthorizationConfigurer to already built object #517

Open robsilvia opened 9 years ago

robsilvia commented 9 years ago

Adding a ResourceServerConfigurerAdapter 

@Configuration
protected static class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter { }

to oauth demo at https://github.com/dsyer/spring-security-angular/blob/master/oauth2/authserver/src/main/java/demo/AuthserverApplication.java

Causes the same problem as https://github.com/spring-projects/spring-security-oauth-javaconfig/issues/1

pwlnk commented 9 years ago

The same problem. Does exist any solution for this error?

robsilvia commented 9 years ago

You need to write you own configuration. Examples can be found in https://github.com/spring-projects/spring-security-oauth/tree/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration.

The issue itself is related to how configurers are handled at line 170 in https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java#L170-L176

robsilvia commented 9 years ago

I should also mention you're better off separating the resource server from the authorization server than you're writing your own configuration to get them both working on the same instance.

yankee42 commented 8 years ago

@robsilvia: Could you explain what you mean with separating resource server and authorization server? And maybe explain the background on what the problem is? I have the same problem, but I fail to understand the problem :-(.

robsilvia commented 8 years ago

When I wrote this I thought the only way to work around this problem was to create your own configuration or move the ResourceServerConfigurerAdapter over to a separate resource server instance.

I later found out that if you define a ResourceServerConfigurerAdapter you need explicitly define a security builder.

This works

@Configuration
protected static class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated();
    }

}

This produces the above error

@Configuration
protected static class OAuth2ResourceConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        //http.authorizeRequests().anyRequest().authenticated();
    }

}

If you’re receiving this error message outside of an oauth2 context as far as I can tell it means some where authorizeRequests() is being called on an instance of HttpSecurity that has already been built (processed by the filterChain).